HPASMCLI - Overview and Commands

hpasmcli stands for HP Server Management Application and Agents Command Line Interface

It comes with HP ProLiant Support Pack (PSP) and can be installed in HP ProLiant Servers to view, modify the BIOS / System settings such as  hyper-threading, boot sequence control, and UID LEDs, etc. It can also be used to display hardware status  of the HP ProLiant servers. 

It’s a scriptable command line interface for interacting with the hpasm management daemons.
hpasmcli is also usable for incorporating into shell scripts. Hpasmcli supports TAB completion of command names and has a history buffer that can be accessed using the up/down arrows. 

To get the basic information about server:

hpasmcli> show server
System        : ProLiant DL385 G1
Serial No.    : SGH532X0KK      
ROM version   : A05 06/14/2005
iLo present   : Yes
Embedded NICs : 2
NIC1 MAC: 00:14:38:4c:62:3e
NIC2 MAC: 00:14:38:4c:62:3d

Processor: 0
Name         : AMD Opteron
Stepping     : 2
Speed        : 2200 MHz
Bus          : 0 MHz
Socket       : 2
Level2 Cache : 1024 KBytes
Status       : Ok

Processor: 1
Name         : AMD Opteron
Stepping     : 2
Speed        : 2200 MHz
Bus          : 0 MHz
Socket       : 1
Level2 Cache : 1024 KBytes
Status       : Ok

Processor total  : 2

Memory installed : 1024 MBytes
ECC supported    : Yes

Verify the Automatic System Recovery values:
hpasmcli> show asr
ASR timeout is 10 minutes.
ASR is currently enabled.

To verify the boot order:

hpasmcli> show boot
First boot device is: CD-ROM.
One time boot device is: Not set.

To check the DIMM Information:

hpasmcli> show dimm
DIMM Configuration
Cartridge #:   0
Module #:      3
Present:       Yes
Form Factor:   9h
Memory Type:   12h
Size:          1024 MB
Speed:         400 MHz
Status:        Ok

Cartridge #:   0
Module #:      4
Present:       Yes
Form Factor:   9h
Memory Type:   12h
Size:          1024 MB
Speed:         400 MHz
Status:        Ok

To check the F1 Prompt:

hpasmcli> show f1
The POST F1 prompt is currently delayed.

To Verify the FANS:

hpasmcli> show fans
Fan  Location        Present Speed  of max  Redundant  Partner  Hot-pluggable
---  --------        ------- -----  ------  ---------  -------  -------------
#1   PROCESSOR_ZONE  Yes     NORMAL 18%     Yes        2        Yes           
#2   PROCESSOR_ZONE  Yes     NORMAL 18%     Yes        1        Yes           
#3   I/O_ZONE        Yes     NORMAL 18%     Yes        1        Yes           
#4   I/O_ZONE        Yes     NORMAL 18%     Yes        1        Yes           
#5   PROCESSOR_ZONE  Yes     NORMAL 18%     Yes        1        Yes           
#6   PROCESSOR_ZONE  Yes     NORMAL 18%     Yes        1        Yes           
#7   POWERSUPPLY_BAY Yes     NORMAL 18%     Yes        1        Yes           
#8   POWERSUPPLY_BAY Yes     NORMAL 18%     Yes        1        Yes           

To Verify the HT Status:

hpasmcli> show ht
Processor hyper-threading is currently disabled.

To view the IML Logs:

hpasmcli> show iml
The IML Log is empty.

hpasmcli> show ipl
IPL (Standard Boot Order)
#1 Floppy
#3 HDD
#4 PXE

To check the Power Supply Status:

hpasmcli> show powersupply
Power supply #1
Present  : Yes
Redundant: No
Condition: Ok
Hotplug  : Supported

Power supply #2
Power Supply not present

To check the PXE status of the network cards:

hpasmcli> show pxe
PXE boot status (2 Embedded NICs):
NIC1: PXE enabled
NIC2: PXE disabled

To check the Serial Port status:

hpasmcli> show serial bios
BIOS console redirection port is currently set to COM1/9600.

hpasmcli> show serial bios
Embedded serial port A: COM1
Embedded serial port B: Disabled

hpasmcli> show serial virtual
The virtual serial port is currently COM2.

To check the temperature of the server:

hpasmcli> show temp
Sensor   Location              Temp       Threshold
------   --------              ----       ---------
#0        SYSTEM_BD             -          -       
#1        CPU#1                51C/123F   80C/176F 
#2        I/O_ZONE             52C/125F   62C/143F 
#3        CPU#2                46C/114F   80C/176F 
#4        PROCESSOR_ZONE       41C/105F   60C/140F 
#5        POWER_SUPPLY_BAY     41C/105F   51C/123F 

To check LED status:

hpasmcli> show uid
UID is currently off.

To check the Wake on LAN status:

hpasmcli> show wol
Wake-On-Lan is currently enabled.

To exit from hpasmcli:

hpasmcli> exit

Terminal servers at network command at windows 2008

Displays the available application terminal servers on the network.


servername Identifies a Terminal server.
/DOMAIN:domain Displays information for the specified domain (defaults
to the current domain).
/ADDRESS Displays network and node addresses.
/CONTINUE Does not pause after each screen of information.

Own Event Log create at Windows server 2008

EVENTCREATE [/S system [/U username [/P [password]]]] /ID eventid
[/L logname] [/SO srcname] /T type /D description

This command line tool enables an administrator to create a custom event ID and message in a specified event log.

Parameter List:
/S system Specifies the remote system to connect to.

/U [domain\]user Specifies the user context under which
the command should execute.

/P [password] Specifies the password for the given
user context. Prompts for input if omitted.

/L logname Specifies the event log to create
an event in.

/T type Specifies the type of event to create.

/SO source Specifies the source to use for the
event (if not specified, source will default
to 'eventcreate'). A valid source can be any
string and should represent the application
or component that is generating the event.

/ID id Specifies the event ID for the event. A
valid custom message ID is in the range
of 1 - 1000.

/D description Specifies the description text for the new event.

/? Displays this help message.

EVENTCREATE /T ERROR /ID 1000 /L APPLICATION /D "My custom error event for the application log"

EVENTCREATE /T ERROR /ID 999 /L APPLICATION /SO WinWord /D "Winword event 999 happened due to low diskspace"

EVENTCREATE /S system /T ERROR /ID 100 /L APPLICATION /D "Custom job failed to install"

EVENTCREATE /S system /U user /P password /ID 1 /T ERROR /L APPLICATION /D "User access failed due to invalid user credentials"

Database utilities at windows server 2008 core


DESCRIPTION: Database utilities for the Extensible Storage Engine for Microsoft

Defragmentation:  ESENTUTL /d {database name} [options]
Recovery: ESENTUTL /r {logfile base name} [options]
Integrity: ESENTUTL /g {database name} [options]
Checksum: ESENTUTL /k {file name} [options]
Repair: ESENTUTL /p {database name} [options]
File Dump: ESENTUTL /m[mode-modifier] {filename}
Copy File: ESENTUTL /y {source file} [options]

LDAP Management at windows server 2008 core

Dsmgmt facilitates managing AD DS/LDS application partitions, management
and control of the Flexible Single Master Operations (FSMO),
and cleaning up of metadata left behind by abandoned AD DCs/LDS instances,
those which are removed from the network without being uninstalled.

This is an interactive tool.

 Configurable Settings         - Manage configurable settings
DS Behavior - View and modify AD DS/LDS Behavior
Group Membership Evaluation - Evaluate SIDs in token for a given user or
LDAP policies - Manage LDAP protocol policies
Local Roles - Local RODC roles management
Metadata cleanup - Clean up objects of decommissioned servers
Partition management - Manage directory partitions
Popups off - Disable popups
Popups on - Enable popups
Quit - Quit the utility
Roles - Manage NTDS role owner tokens
Security account management - Manage Security Account Database - Duplicate
SID Cleanup
Set DSRM Password - Reset directory service restore mode
administrator account password

Default GPO Fix

Default GPO fix at Windows server 2008 core

Description: Recreates the Default Group Policy Objects (GPOs) for a domain

Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]

/target: {Domain | DC | BOTH} Optional.
Specifies the GPO to be restored -- the Default Domain Policy GPO, the
default Domain Controllers Policy GPO, or both.

/ignoreschema: Optional.
Use this switch to have this tool ignore the schema version of the Active
Directory. Otherwise this tool will only work on the same schema version as
the Windows version in which the tool was shipped.

CSV file Command line at windows server 2008 core

CSV command line options at windows server 2008 core.

CSV Directory Exchange

General Parameters
-i Turn on Import Mode (The default is Export)
-f filename Input or Output filename
-s servername The server to bind to (Default to DC of computer's domain)
-v Turn on Verbose Mode
-c FromDN ToDN Replace occurences of FromDN to ToDN
-j path Log File Location
-t port Port Number (default = 389)
-u Use Unicode format
-? Help

Export Specific
-d RootDN The root of the LDAP search (Default to Naming Context)
-r Filter LDAP search filter (Default to "(objectClass=*)")
-p SearchScope Search Scope (Base/OneLevel/Subtree)
-l list List of attributes (comma separated) to look for in an
LDAP search
-o list List of attributes (comma separated) to omit from input.
-g Disable Paged Search.
-m Enable the SAM logic on export.
-n Do not export binary values

-k The import will go on ignoring 'Constraint Violation' and
'Object Already Exists' errors

Credentials Establishment
Note that if no credentials is specified, CSVDE will bind as the currently
logged on user, using SSPI.

-a UserDN [Password | *] Simple authentication
-b UserName Domain [Password | *] SSPI bind method

Example: Simple import of current domain
csvde -i -f INPUT.CSV

Example: Simple export of current domain
csvde -f OUTPUT.CSV

Example: Export of specific domain with credentials
csvde -m -f OUTPUT.CSV
-d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"
-r "(objectClass=user)"
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.

Windows server core Command - Change

Change Command at windows 2008 server core


Change LOGON

Enable, disable, or drain session logins.


/QUERY Query current session login mode.
/ENABLE Enable user login from sessions.
/DISABLE Disable user login from sessions.
/DRAIN Disable new user logons, but allow reconnections to existing sessions.
/DRAINUNTILRESTART Disable new user logons until the server is restarted, but
allow reconnections to existing sessions.

Change PORT

List or change COM port mappings for DOS application compatibility.

CHANGE PORT [portx=porty | /D portx | /QUERY]

portx=porty Map port x to port y.
/D portx Delete mapping for port x.
/QUERY Display current mapping ports.

Change USER

Change Install Mode.


/EXECUTE Enable execute mode (default).
/INSTALL Enable install mode.
/QUERY Display current settings.

ICACLS options at Windows 2008 server Core

Reset the NTFS Files/Folders Permissions at Windows using CACLS utility.

ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
store the the acls for the all matching names into aclfile for
later use with /restore.

ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile
[/C] [/L] [/Q]
applies the stored acls to files in directory.

ICACLS name /setowner user [/T] [/C] [/L] [/Q]
changes the owner of all matching names.

ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
finds all matching names that contain an ACL
explicitly mentioning Sid.

ICACLS name /verify [/T] [/C] [/L] [/Q]
finds all files whose ACL is not in canonical for or whose
lengths are inconsistent with ACE counts.

ICACLS name /reset [/T] [/C] [/L] [/Q]
replaces acls with default inherited acls for all matching files

ICACLS name [/grant[:r] Sid:perm[...]]
[/deny Sid:perm [...]]
[/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
[/setintegritylevel Level:policy[...]]

/grant[:r] Sid:perm grants the specified user access rights. With :r,
the permissions replace any previouly granted explicit permissions.
Without :r, the permissions are added to any previously granted
explicit permissions.

/deny Sid:perm explicitly denies the specified user access rights.
An explicit deny ACE is added for the stated permissions and
the same permissions in any explicit grant are removed.

/remove[:[g|d]] Sid removes all occurrences of Sid in the acl. With
:g, it removes all occurrences of granted rights to that Sid. With
:d, it removes all occurrences of denied rights to that Sid.

/setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
ACE to all matching files. The level is to be specified as one


Inheritance options for the integrity ACE may precede the level
and are applied only to directories.


e - enables inheritance
d - disables inheritance and copy the ACEs
r - remove all inherited ACEs

Sids may be in either numerical or friendly name form. If a numerical
form is given, affix a * to the start of the SID.

/T indicates that this operation is performed on all matching
files/directories below the directories specified in the name.

/C indicates that this operation will continue on all file errors.
Error messages will still be displayed.

/L indicates that this operation is performed on a symbolic link
itself versus its target.

/Q indicates that icacls should supress success messages.

ICACLS preserves the canonical ordering of ACE entries:

Explicit denials
Explicit grants
Inherited denials
Inherited grants

perm is a permission mask and can be specified in one of two forms:
a sequence of simple rights:

F - full access
M - modify access
RX - read and execute access
R - read-only access
W - write-only access

a comma-separated list in parenthesis of specific rights:

D - delete
RC - read control
WDAC - write DAC
WO - write owner
S - synchronize
AS - access system security
MA - maximum allowed
GR - generic read
GW - generic write
GE - generic execute
GA - generic all
RD - read data/list directory
WD - write data/add file
AD - append data/add subdirectory
REA - read extended attributes
WEA - write extended attributes
X - execute/traverse
DC - delete child
RA - read attributes
WA - write attributes

inheritance rights may precede either form and are applied
only to directories:

(OI) - object inherit
(CI) - container inherit
(IO) - inherit only
(NP) - don't propagate inherit


icacls c:\windows\* /save AclFile /T
- Will save the ACLs for all files under c:\windows
and its subdirectories to AclFile.

icacls c:\windows\ /restore AclFile
- Will restore the Acls for every file within
AclFile that exists in c:\windows and its subdirectories

icacls file /grant Administrator:(D,WDAC)
- Will grant the user Administrator Delete and Write DAC
permissions to file

icacls file /grant *S-1-1-0:(D,WDAC)
- Will grant the user defined by sid S-1-1-0 Delete and
Write DAC permissions to file

Windows 2008 server core - Search

We can able to search file through command-line at Windows server 2008 Server Core.

WHERE [/R dir] [/Q] [/F] [/T] pattern...


Displays the location of files that match the search pattern.
By default, the search is done along the current directory and in the paths specified by the PATH environment variable.

Parameter List:

/R Recursively searches and displays the files that match the given
pattern starting from the specified directory.

/Q Returns only the exit code, without displaying the list
of matched files. (Quiet mode)

/F Displays the matched filename in double quotes.

/T Displays the file size, last modified date and time for all
matched files.

pattern Specifies the search pattern for the files to match. Wildcards * and ?
can be used in the pattern. The "$env:pattern" and "path:pattern"
formats can also be specified, where "env" is an environment variable
and the search is done in the specified paths of the "env" environment
variable. These formats should not be used with /R. The search is also
done by appending the extensions of the PATHEXT variable to the pattern.

/? Displays this help message.

The tool returns an error level of 0 if the search is successful, of 1 if the search is unsuccessful and of 2 for failures or errors.

WHERE myfilename1 myfile????.*
WHERE $windir:*.*
WHERE /R c:\windows *.exe *.dll *.bat
WHERE /Q ??.???
WHERE "c:\windows;c:\windows\system32:*.dll"
WHERE /F /T *.dll

SELinux - Overview and Configuration

SELinux Features:
  • Restricts access by subjects (users and/or processes) to objects (files)
  • Provides Mandatory Access Controls (MACs)
  • MACs extend Discretionary Access Controls (DACs (Standard Linux Permissions))
  • Stores MAC permissions in extended attributes of file systems
  • SELinux provides a way to separate: users, processes (subjects), and objects, via labeling, and monitors/controls their interaction
  • SELinux is integrated into the Linux kernel
  • Implements sandboxes for subjects and objects
  • Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons and one sandbox (unconfined_t) for everything else
  • SELinux is implemented/enabled by RHEL5, by default
  • Operates in the following modes:

            a. Permissive - permission is always granted, but denials are logged in: /var/log/messages
            b. Enforcing - strictly enforces 'targeted' policy rules
            c. Disabled - Only DACs are applied

  • Operating modes can be applied upon startup or while the system is running

SELinux Config files & Tools:

 1. sestatus - displays current SELinux status, including:
     a. policy name 'targeted'
     b. policy version '21'
     c. Operating mode: 'enforcing|permissive|disabled'

 2. /etc/sysconfig/selinux - primary startup|config file for SELinux
 3. /etc/selinux/targeted - top-level container for the 'targeted' policy
 4. setenforce = 0(permissive) 1(enforcing)
 5. '-Z' can be applied to the following commands to obtain SELinux context info:
      mv, cp, ls, ps, id
 6. chcon -R -t type <file> - applies SELinux label to file/directory

Note: If files(objects) lose their SELinux context, there are multiple ways to relabel them:
     1. 'touch /.autorelabel && reboot' - init will relable the system according to the 'targeted' policy
     2. 'fixfiles' - use to relabel objects (files) while the system is running

Note: List of daemons protected by the 'targeted' SELinux policy:
             1. apache(httpd)
             2. dchpd
             3. ntpd
             4. named
             5. syslogd
             6. squid
             7. snmpd
             8. portmap
             9. nscd
            10. winbind

Note: The 'targeted' policy assigns ALL other subjects and objects to the 'unconfined_t' domain

Note: The default SELinux 'targeted' policy, using MACs, binds subject domains: i.e. 'httpd_t' to object types: i.e. 'httpd_config_t'

Note: SELinux MACs compound Linux DACs