Remote Resource Kit Roundup


Remote Administer your Windows NT 4.0 system from afar

Systems administrators who rarely have time to visit each machine in a network need Windows NT Server 4.0 administration tools that can execute complex scripts on several remote computers simultaneously. For some administrators, remote-control packages such as Symantec's pcAnywhere or Netopia's Timbuktu Pro are solutions. Such remote-control applications work best for taking over one PC, allowing one-on-one interaction to guide a user through a complicated task, accomplish one-off configuration, or troubleshoot tasks that you can't accomplish remotely through scripting.

However, my goal is to perform every administrative task across many machines simultaneously from the command line within a scripted environment. To accomplish that goal, I use the remote-administration tools in the Microsoft Windows NT Server 4.0 Resource Kit, including Supplement 4. (For more information about Supplement 4, see Mark Minasi, This Old Resource Kit, "Windows NT Resource Kit Supplement 4," page 187.) For those of you who have similar goals, I share a list of the tools that I've found most useful in my day-to-day administrative tasks.

Addusers (addusers.exe), a command-line utility for adding user accounts and global and local groups into the NT Server 4.0 SAM, works with the domain controller SAM or a member server or workstation. Addusers accepts a file (i.e., the list of user accounts or groups you want to import) in a particular format as input. The command

addusers \\myPDC /c userlist.txt

adds the users and groups in the userlist.txt file to myPDC. The /c option tells Addusers to create new user accounts as the input file specifies them. You can also use the /d option to dump users to a file from the SAM. The resulting file has the correct format for import.

You can use Addusers to populate a test domain with multiple accounts or to dump the SAM's contents for duplication elsewhere. When you use the dump option for an account, Addusers doesn't retain the account's domain SID. The dump option simply dumps to text the user's name and associated account properties.

Auditpol (auditpol.exe) lets you set domain or local SAM audit policy for a local or remote machine. (You can also set the audit policy from User Manager/Policies/Audit.) When you direct the Auditpol command to the PDC in a domain, the command sets audit policy for the entire domain. You can choose only one option for each audit category; the categories are the same categories as those in User Manager/Policies/Audit. For example, if you enable logon auditing, you can specify auditing on successful logon, auditing on failed logon, or both.

The command

auditpol \\servera /enable /logon:failure /sam:failure

changes the audit policy on server servera. If servera were a PDC, the change would affect the audit policy on the entire domain. The /enable parameter enables the auditing function. The /logon:failure parameter audits logon and logoff events for failed events only. The /sam:failure policy audits attempted SAM changes that were failed events. If the administrator's attempt to delete a user account failed because of insufficient privileges, the /sam:failure audit policy would trigger a security event.

Browmon (browmon.exe), a GUI utility, lets you monitor the browser status on your local subnet for each network transport. You can identify the master and backup browsers for your local subnet, examine their browse lists, and troubleshoot browsing problems. Browmon can help you find a problem's source if you notice that, while you're browsing your networks, some machines don't appear on the browse list in Network Neighborhood. You can use Browmon to identify the master and backup browser machines on your subnet. Then, you can examine the browse lists for the master and backup machines and narrow your problem by determining which master or backup browser is missing one or more machines from its browse list. Browmon reports browser status only on the subnet where it's running, and the tool doesn't report information from remote subnets unless the machine running Browmon is physically connected to remote subnets.

Browstat (browstat.exe) and Browmon have similar functions, but Browstat also provides statistics about browser flags. Every NetBIOS machine in your network has flags that identify a role the machine plays (e.g., server, workstation, time server). So, if you use the resource kit's Time Service, Browstat can tell you which servers advertise themselves as primary time servers. The command

browstat view NetBT_ELNK3

displays a list of machines on transport NetBT_ELNK3 and the machines' NetBIOS flags. (ELNK3 is the NIC adapter's name.) Browstat comes with several other browser-related commands, including the ability to force a browser election on a remote subnet (using the elect option) or the ability to stop a master browser's operation (using the tickle option), which might be helpful when you use Browmon to troubleshoot browsing problems. Browstat often requires you to type the transport name you're asking about because the browser maintains separate lists on each transport (e.g., TCP/IP, NWLink, NetBEUI). To get the default transport's name, use the Browstat Status command.

Compreg (compreg.exe) lets you compare Registry key contents of local and remote machines. For example, to ensure that two machines have the same default user settings for desktop preferences, you would type

compreg "us\.default\control panel\desktop" \\remotews

The example compares the contents of the .default\control panel\desktop key under the HKEY_USERS (us) Registry subtree on a local machine with the same key on remote machine remotews. Similarly, the command could have specified two remote machines by including a Uniform Naming Convention (UNC) path in front of the Registry path (e.g., \\ws2\us\.default\control panel\desktop).

Delprof (delprof.exe) lets you delete cached profiles from a local or remote machine. Delprof looks for cached profiles in the HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\WindowsNT\CurrentVersion\ProfileList Registry key. Delprof's default behavior is to prompt you to delete all inactive profiles (i.e., profiles that no one has used for a specified time). To make Delprof prompt you for each profile, use the /p parameter. To set the number of days after which Delprof considers an unused profile to be inactive, use the /d parameter. In the example

delprof /p /c:servera /d:10

Delprof deletes all cached profiles on servera that no one has used in 10 days. The /p parameter tells Delprof to prompt you to confirm each profile's deletion. Delprof won't return any information to you when all system profiles are active.

Occasionally, you might find a cached profile that Delprof misses and that you can't delete manually or with other tools. A bug in NT 4.0 can let a cached profile (specifically, the profile's ntuser.dat file) remain locked even though the user has logged off. The easy solution is to reboot the machine, unless you can determine which process locked the file. For example, the sound device on some Compaq workstations can lock the profile's ntuser.dat file. In this case, you can usually free the file and delete the profile if you stop the sound device within Control Panel.

Dhcpcmd (dhcpcmd.exe), which lets you view and manage DHCP servers, can list active leases on a scope, create new scopes, add or change scope or global options, and modify serverwide parameters. The command

dhcpcmd enumclients -v

creates a verbose listing of active leases on a particular scope. The enumclients option tells Dhcpcmd to list all active leases on the scope I've specified. In the example, is the DHCP server's IP address, and is the scope subnet on which the command lists active leases. The -v option specifies that I want verbose output.

Dhcploc (dhcploc.exe) helps you detect rogue DHCP servers. In the command, you provide a list of IP addresses for DHCP servers, then Dhcploc pings the DHCP servers and returns a list of responses. The command

dhcploc -p ""

executes a Dhcploc command on the interface that has an IP address of The first address in the command line is typically the address of the machine from which you're running the command. The IP addresses in quotation marks are addresses for authorized servers. If the responses aren't on the valid-server list, the responding servers are rogues. The -p option tells Dhcploc not to display responses from valid servers you've specified in the list. Thus, you can assume any responses you get are rogues. The utility also can send alerts to specified users (at intervals you determine) when Dhcploc detects rogues. To send alerts, use the -a and -I options. The command

dhcploc -p "" 
-a:"administrator" -I:1800

sends an alert to the administrator account (-a option) every 30 minutes (-I option in seconds).

Dhcploc uses broadcast-based DHCP discover packets to determine which DHCP servers respond, and the way your network forwards these broadcasts can limit the utility's effectiveness. In a routed network, you need to configure your network routers to forward DHCP discover packets to all subnets that might have rogue DHCP servers. If this configuration isn't practical, you might use a tool such as the NT scheduler service to run a Dhcploc instance on a workstation on each subnet.

Dnscmd (dnscmd.exe) helps you manage NT 4.0 DNS servers. (This utility doesn't work for UNIX-based DNS implementations.) Using Dnscmd, you can gather server statistics, list zone files, create or delete new zones, and switch between primary and secondary zone types on a specified DNS server. The command

dnscmd myserver getserverinfo

gathers server statistics on DNS server myserver.

Dommon (dommon.exe), a GUI utility, lets you monitor the secure-channel trust connections between domain controllers in NT 4.0 domains. Dommon provides a bird's-eye view of all domain controllers and their status in all of your trusted domains, letting you troubleshoot trust problems and identify domain controllers that break secure-channel connections. If you've ever tried logging on to a domain from a workstation or server and received the message No logon servers available to service your request, you might find Dommon useful in tracking the problem. Generally, this error happens because of a failed secure-channel connection between a BDC and the PDC. Dommon can help you find this problem by showing the status of all domain controllers in a domain, or even across domain trusts. In large networks, Dommon can take several minutes to list all trusted domain connections to all of your domain controllers. If you detect a problem, I recommend using Nlmon (nlmon.exe) or Nltest (nltest.exe) to pinpoint the source.

Dumpel (dumpel.exe) uses filter information that you provide to dump a local or remote NT event log's contents to a file. Dumpel is a command-line version of NT Event Viewer's filtering and Save As function. The command

dumpel -d 5 -e 515 -m Security -l security -s remote >remotesecurity.log

dumps the Security event log from a remote machine called remote (-s option), filtering for the past 5 days (-d option) on event ID 515 (-e option). In the example, the -m option specifies the NT subsystem that triggered event ID 515. If you specify -e, you also need to specify -m. The -l security option specifies that I want to dump events from the Security event log, rather than from the Application or System logs. In the example, I use the DOS redirection operator (>) to redirect Dumpel's output to the remotesecurity.log file. Dumpel provides the -f option to redirect output to a file, but -f doesn't appear to work correctly in this version of the tool.

Fcopy (fcopy.exe) performs multithreaded, reliable file copies between multiple systems. You need to install Microsoft Message Queue Server (MSMQ) on all systems that use Fcopy. MSMQ guarantees that the system reliably copies files over intermittent network links, making Fcopy robust for copying files to dial-up or WAN-based devices. The command

fcopy  \\source\temp\*.*  \\destination\temp /s /o

copies the source files to the destination system. The /s option instructs Fcopy to copy each source file, and /o specifies compression.

Fcopy supports copying of NTFS permissions. It also compresses and encrypts, and it can validate checksums to ensure that it doesn't copy files that already exist at the destination. Fcopy requires three files: fcopy.exe for the client, fcopysrv.exe for the server, and fcopy.dll for a DLL. You need to install these three files on source and destination systems.

Findgrp (findgrp.exe) lets you trace a particular user's group membership. For example, suppose you're trying to track down the ultimate permissions a user has over a resource. A local group's permission to use that resource might hide the fact that the particular user's global group membership also allows access to the resource. Findgrp can find the user's global group membership and direct and indirect local group membership. The command

findgrp domaina domainb\joeuser

checks domainb\joeuser's group membership in domaina.

Getmac (getmac.exe) finds the media access control (MAC) address and transport name for a local or remote machine. This information is useful if you use Network Monitor to view network traffic and need a machine's MAC address to establish a filter. The command

getmac \\machinea

retrieves the MAC address and transport name for machinea.

Getsid (getsid.exe) lets you resolve usernames to their SIDs. You need to enter two account names because Getsid compares SIDs on two machines. However, Getsid can resolve a single account if you enter that account twice. For example,

getsid \\pdca joeuser \\pdca joeuser

returns joeuser's SID from the pdca domain controller. If you specify a domain controller as the server, Getsid returns the account SID for the user's domain account.

The command

getsid \\workstation administrator \\workstation2 administrator

compares the local administrator account SIDs for two workstations. You'll find this technique handy if you use cloning software to install NT Workstation 4.0 and want to verify that the SIDs change properly from one machine to another. Getsid will show identical administrator account SIDs if your cloning software failed to properly generate a new SID.

Global (global.exe) is a command-line utility that reveals the membership list for global groups in a domain. For example, the command

global "Domain Users" \\DC1

lists the members of the domain users group in domain DC1. The Global utility gives you a quick method for determining whether a user is a member of a particular group.

Local (local.exe) generates the membership list for local groups in a domain, server, or workstation setup. For example,

local administrators \\workstationa

lists members of the local administrators group for remote workstation workstationa. However, Local doesn't return local group members' Fully Qualified Domain Names (FQDNs). For example, if domaina\joeuser and domainb\joeuser are members of a local group called users, Local will return two instances of joeuser without specifying their domain membership.

Logevent (logevent.exe) lets you generate event-log events on local or remote machines. Events that you generate using Logevent show up only in the Application event log; you can't choose to log the events elsewhere. The command

logevent -m \\mypc -s -e -c 9999 "Danger Will Robinson"

creates an error event on remote machine mypc with a 9999 event category and some description text.

You might find Logevent useful in conjunction with a script you've written to perform an installation task on a group of machines. Logevent lets you record in a central location whether the installation completes successfully for each machine.

Netdom (netdom.exe) can perform a variety of Netlogon-related functions, such as resetting the secure-channel connection on a machine in a domain and adding and deleting machine accounts. After you add a machine account, you can have the machine join the domain without rebooting (if you use the network identification user interface—UI—to add a machine to a domain, you must reboot the machine). For example, to create a machine account for mypc and join the machine to domaina, you would execute the commands

netdom /domain:domaina member mypc /add
netdom /domain:domaina member mypc /joindomain

Netsvc (netsvc.exe) lets you start, stop, and query the status of local or remote services. When specifying a service, you can use either the full display name (e.g., "Windows Time Service") or the service name that appears in the Registry (e.g., w32time). You need to use quotation marks to enclose service names that include spaces. The command

netsvc w32time \\mypc /query

queries the status of the w32time service on machine mypc.

Netwatch (netwatch.exe), a GUI utility, lets you monitor who accesses shares and opens files on local or remote systems. You can use this tool to keep track of who connects remotely to a workstation. You can also use Netwatch to quickly view shares, hidden or not, available on a remote machine. However, if you operate Netwatch on a server with many users, it refreshes so frequently that the view is useless.

Nlmon (nlmon.exe) runs constantly and monitors the trust relationships between domains, and optionally, all of their trusted domains. For example, on a system with resourcea, resourceb, and resourcec domains, the command

nlmon /domainlist:resourcea,resourceb,resourcec /montrust:yes /update:5

monitors trusts between the resource domains and their master domains every 5 minutes and reports problems to the screen. You can use the redirection operator to redirect output to a text file.

Nltest (nltest.exe) lets you test functionality related to NT's Netlogon process. Netlogon performs several tasks, including managing the secure-channel connections between machines in a domain. My favorite use for Nltest is to determine how many bad-password attempts a user account has and the date and time the user last authenticated to a domain controller. The command

nltest /server:DomainDC /user:joeuser

displays information about user account joeuser in domain DomainDC. The display includes information such as the user's full name and description, the home or profile server, and the number of bad-password attempts against the account.

Ntrights (ntrights.exe) lets you grant or revoke user rights on a local or remote machine. You can also view those rights at User Manager/Policies/User Rights. The command

ntrights -u "domaina\domain admins" -m \\servera +r SeServiceLogonRight

enables the Logon as a Service right for the domain global group domain admins on server servera. User rights (e.g., SeServiceLogonRight) are case sensitive, and you can grant only one right per command line. The -u option specifies the user or group to whom you are granting the right. The -m option specifies a remote server or workstation to run the command against. If you specify a PDC, the rights change for the entire domain. The +r option tells the command to grant, rather than revoke (-r), the specified right. You need to use the NT 4.0 privilege name when you grant a particular right. For information about NT 4.0 rights, check the rktools.hlp documentation in the resource kit.

Permcopy (permcopy.exe) copies share permissions from one share to another. This utility doesn't copy NTFS file permissions, but it's handy if you're duplicating a share on multiple machines and you've set up elaborate share permissions that are difficult to duplicate manually. The command

permcopy \\servera public \\serverb public-new

copies share permissions from servera's public share to serverb's public-new share. Don't try to use Permcopy to copy permissions on the administrative shares that NT establishes by default (e.g., c$, admin$). Permcopy can cause problems with your system if you try to copy the administrative shares, which use special permissions.

Pulist (pulist.exe) lets you list the processes running on a local or remote system, associated process identifiers (PIDs), and the security context under which each process runs (the security context feature is available only when you run the command against a local machine). If you enter multiple machines on the command line, Pulist returns a list of individual processes that each remote machine is running. The command

pulist \\servera \\workstationb \\serverc

shows the processes that are running on three machines—servera, workstationb, and serverc. When you use Pulist with remote machines, the utility provides process names and IDs but not the username associated with each process.

Reg (reg.exe), a command-line utility, lets you manipulate Registry keys and values on local and remote machines. You can use Reg to add, delete, query, back up, restore, and change the Registry. Unlike tools such as Regini and Regedit, Reg processes only one Registry command at a time. Reg is useful when you want to make a few changes to the Registry and is conducive to scripted solutions. Listing 1 shows how to use Reg in a batch script with a remote machine, mypc. The script queries mypc for the path value in HKEY_CURRENT_USER. An errorlevel of 2 or greater means that Reg didn't find the value; in this case, control jumps to the add block, and Reg adds the value.

Regdmp (regdmp.exe) lets you dump Registry keys and values from a local or remote machine to a text file. You can then use Regini to import the dumped information. The command

regdmp -m \\servera HKEY_CURRENT_USER\Environment

dumps Registry keys from remote machine servera (which the -m option specifies) to HKEY_CURRENT_USER\Environment.

Regini (regini.exe) makes mass changes to Registries on local or remote machines. Regini takes as input a text file in the form that Regdmp generates and outputs return codes as the utility makes each Registry change. A nonzero return code identifies a failed registration. The command

regini -m \\servera regchanges.ini

makes the changes contained in the regchanges.ini file to the Registry on servera. The -m option specifies that the command runs against remote machine servera.

Rkill, Wrkill, and Rkillsrv
Rkill (rkill.exe), Wrkill (wrkill.exe), and Rkillsrv (rkillsrv.exe) make up Remote-kill utility. If you install Rkillsrv on each computer on which you want to be able to perform remote-process kills, you can use either the Rkill command-line utility or the Wrkill GUI utility to kill remote processes. The command

rkill -view \\servera

lets you view remote processes on servera. To kill a process, specify the process's PID. For example,

rkill -kill \\servera <PID>

kills the process that the PID identifies.

Rmtshare (rmtshare.exe) lets you create and modify file and printer shares on local and remote machines. You can use rmtshare to set all share parameters that you can set using Windows Explorer. The command

rmtshare \\servera\newshare=c:newshare /remark:"This is a 
new share point"

creates newshare on servera and adds a comment on the share.

Sc (sc.exe), which lets you control all aspects of local and remote services, is a great but finicky tool for remote-service management. You can use Sc to stop, start, query, install, deinstall, and even change dependencies on services. The command

sc \\mypc qc Browser

tells you which services depend on the browser service that is running on remote machine mypc. The qc option stands for query configuration. Sc is sensitive to syntax, so be sure the syntax is correct. You need to use spaces to separate all command-line options. Follow the examples that Sc provides when you type sc, without options, on the command line.

Scanreg (scanreg.exe) searches for keys, values, and data within values in the Registry. The command

scanreg -s Telnet \\mypc\lmSoftware\Microsoft -k

searches for the Telnet key under lm\Software\Microsoft on mypc. The -s option identifies the string you want to search for—in this case, Telnet. The -k option tells the command that you want to search only key names, not values or data within a value. If you type scanreg at the command line with no parameters, you get a list of abbreviations for each Registry subtree.

Shutdown and Shutgui
Shutdown (shutdown.exe), a command-line utility, and Shutgui (shutgui.exe), a GUI utility, shut down local or remote computers. The command

shutdown \\mypc /r  /t:30 /c

shuts down and restarts mypc after a 30-second countdown. The /c parameter forces all open applications to close, resulting in possible data loss but guaranteeing that the system shuts down properly. The /r option tells the command to restart the workstation after a shutdown.

Srvinfo (srvinfo.exe) is a command-line utility that provides a list of services or devices running on a local or remote machine. Srvinfo also generates information about the build of NT 4.0 (including any service packs and hotfixes) running on the target machine and the current server uptime. If you run Srvinfo with Microsoft Exchange Server or Microsoft SQL Server, the utility returns information about the version of those programs as well. The command

srvinfo -d -s \\servera

generates information about servera. The -s option tells the utility to list any shares it finds, and -d instructs it to display drivers and services.

Winsdmp (winsdmp.exe) lets you dump the contents of a WINS database to a file or to the console window. To dump the contents of a WINS server whose DNS name is WINSServerA and whose IP address is, you can use either

winsdmp WINSServerA



Winsdmp runs through all possible version IDs and prints records in Comma Separated Values (CSV) format. Winsdmp dumps the target server's records and any records that other WINS servers replicate to the target server.

Windows Script Host
Supplement 4 includes 62 VBScript-based Windows Script Host (WSH) scripts for performing various remote-administration tasks. The scripts require your system to run the Windows Management Instrumentation (WMI) software. By default, Windows 2000 (Win2K) and Windows 98 include WMI. When you install Supplement 4, you'll have the option to also install the WMI software development kit (SDK) on NT 4.0-based systems. The scripts let you perform a variety of automated tasks, from powering off and rebooting a system to enabling DHCP on a system that uses static IP addressing. To invoke these scripts, you need to use the command

cscript <scriptname>.vbs

Most of the scripts let you pass a parameter for the remote machine you're administering. For example, the command

cscript poweroff.vbs \\mypc

invokes the poweroff script on mypc.

Anything Is Remotely Possible
In addition to the resource kit utilities, a variety of third-party tools available on the Internet can help you with most administrative tasks. Sources include Beverly Hills Software (, Systems Internals (, and Winternals Software ( For tasks that you can't find a tool for, you might consider learning some VBScript or Jscript and becoming familiar with WSH and WMI.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.