How to automate BGInfo using batch files

If you are not familiar with BGInfo, do a quick search and see how it can help identify and provide valuable information to system administrators while working on desktops and servers.

I love to script, so I created a few simple batch command files that help automate the process of utilizing BGInfo for the servers I support.

So, here is the environment in which I work in so you can get a little bit of understanding as to the challenge I was presented with in implementing BGInfo across all of my Windows servers.

We have two data centers, ADC & BDC. The majority of our servers follow a naming convention that have the first three letters identify which data center they reside in.

The fourth letter in the server name identifies the type of server…
(P)roduction, (D)evelopment, (Q)uality Assurance, (T)est, (S)tage

Then, I have a certain number of servers that were built prior to the naming standard and don’t comply, so I had to add some special name checking to work these into my automation.

I have three different sets of batch files that do different things, so I’ll show all three and explain what is happening in each one.

First one is the main batch file that is initiated by creating a shortcut to it and placing it in the common startup folder of every server. We use a product called BCM to place the shortcut, but there are other methods to automate this as well.


rem turns off activity in command prompt interface
@echo off
rem makes check variable = to the 4th character in computername
set check=%computername:~3,1%
rem makes srv variable = 2nd and 3rd characters in computername
set srv=%computername:~1,2%
rem this is to remove any previous BGInfo setting placed by previous users
if exist “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*.bgi” (
del “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*.bgi” /q
rem if srv doesn’t =DC, then check to see if a batch file already exists. If batch file exists, run batch file to update background info for current user, then exit.
if not %srv% == DC (
if exist C:\server\bg.bat (
call C:\server\bg.bat
rem this action is initiated if srv doesn’t = DC, so this is a non compliant server name
call \\adcpserver01\BGInfo\\ask.bat
rem these check to see if the variable check are one of the identified servers, if so, it will initiate the appropriate identifying profile. The path is shared to the location of the BGInfo application and supporting files.
if %check%==P call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\prod.bgi /timer:0 /silent /accepteula
if %check%==D call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\dev.bgi /timer:0 /silent /accepteula
if %check%==Q call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\qa.bgi /timer:0 /silent /accepteula
if %check%==T call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\test.bgi /timer:0 /silent /accepteula
if %check%==S call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\stage.bgi /timer:0 /silent /accepteula


rem turns off activity in command prompt interface
@echo off
rem allows input, asking for type of server
set /p check=What type of server is this? (P)roduction, (D)evelopment, (Q)uality Control, (T)est, (S)tage:
rem if check variable = P, initiate production profile and copy production batch file to c:\server\ for continual use and rename for universal execution from any user.
if /i %check%==P (
call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\prod.bgi /timer:0 /silent /accepteula
xcopy \\adcpserver01\BGInfo\bgprod.bat “C:\server\” /y
rename c:\server\bgprod.bat bg.bat
if /i %check%==D (
call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\dev.bgi /timer:0 /silent /accepteula
xcopy \\adcpserver01\BGInfo\bgdev.bat “C:\server\” /y
rename c:\server\bgdev.bat bg.bat
if /i %check%==Q (
call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\qa.bgi /timer:0 /silent /accepteula
xcopy \\adcpserver01\BGInfo\bgqa.bat “C:\server\” /y
rename c:\server\bgqa.bat bg.bat
if /i %check%==T (
call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\test.bgi /timer:0 /silent /accepteula
xcopy \\adcpserver01\BGInfo\bgtest.bat “C:\server\” /y
rename c:\server\bgtest.bat bg.bat
if /i %check%==S (
call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\stage.bgi /timer:0 /silent /accepteula
xcopy \\adcpserver01\BGInfo\bgstage.bat “C:\server\” /y
rename c:\server\bgstage.bat bg.bat


rem turns off activity in command prompt interface
@echo off
rem executes the prod profile
call \\adcpserver01\BGInfo\\BGInfo64.exe \\adcpserver01\BGInfo\prod.bgi /timer:0 /silent /accepteula


Setup RADIUS Server for Watchguard Wi-Fi Access Point Authentication

There are three different components discussed herein, Certificate creation, RADIUS server configuration and WatchGuard firewall configuration. I’ve left out the switch/networking portion, as it is mostly covered in the WatchGuard firewall section.

Self-Signed Certificate Creation

You need to create a Self-Signed Certificate on the RADIUS Server.
Open Windows PowerShell as an Administrator.

Enter the following at the prompt:

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DC1.Server.local

Note: Change the Bolded portion of the command line to the FQDNS name of the RADIUS Server.

Open MMC and add the Certificate to the Computer Account, Press OK.MMC

Highlight the Certificate you just created under Certificates>Personal>Certificates and Right Click and Copy.

Next, expand Trusted Root Certificate Authorities>Certificates and Paste the newly created Certificate there.

RADIUS Server Setup… 

Setup RADIUS Clients and be sure to use a Shared Secret at least 22 characters long.
Make sure to add each AP to the RADIUS Clients list.
RADIUS Clients

Create a Connection Request Policy as follows:
Connection Request Policy

Check Wireless – IEEE 802.11 under Common 802.11 connection tunnel types and Wireless – Other under Others in the NAS Port Type settings.
Secure Wireless Connections Policies

Leave all of the Settings under the configuration tab blank/default:

Create a Network Policy as follows:
Network Policies

Select the Windows Group and add the Security Group you created in AD to allow Wifi access…
This can be a specific group or Domain Users to allow everyone authenticated through AD.
Add NAS Port Type and select Wireless – IEEE 802.11 under Common 802.11 connection tunnel types and Wireless – Other under Others section.

Ensure the Constraints tab is set as follows:
Add Microsoft Protected EAP (PEAP) as the EAP Type and verify there is an issued certificate.
Add Secured password (EAP-MSCHAP v2) as the EAP Type in the Protected EAP Properties.

The Settings tab can just be left at its defaults.

If a particular setting wasn’t listed above, leave it as default or blank.

WatchGuard Firewall and Access Point setup…

In this configuration setup, there are four Access Points which broadcast two SSID’s, Secure and Guest.
Secure SSID is for RADIUS Authentication and Guest is for Internet Only access.

The network configuration is as follows:

VLAN 1 – default subnet, Trusted Zone, untagged (
VLAN 85 – Secure SSID, Trusted Zone, tagged (
VLAN 95 – Guest SSID, Optional Zone, tagged (
VLAN 254 – Voice, Trusted Zone, tagged (

VLAN 1, Firewall – Gateway for the data subnet under the NETWORK settings.
VLAN 1VLAN 85, Secure – Gateway for Secure SSID
SecureSetup DHCP under the Network tab to issue IP address configurations to Secure clients:
Secure DHCPVLAN 95, Guest – Gateway for Guest SSID
GuestSetup DHCP under the Network tab to issue IP address configurations to Guest clients:
Guest DHCPEach Access Point is to be configured as follows:
Assign each Access Point with a static IP address in your Default/Data VLAN subnet.
RADIUS Clients
Add each Unpaired Access Point to the Gateway Wireless Controller with the following under NETWORK settings:
Access PointsAccess pointsSetup SSIDs as follows:

Label the Network Name (SSID) for the Secure VLAN.
Check Enable VLAN tagging and enter the VLAN number for the Secure subnet.
Secure SSIDUnder the Security tab, configure the settings as follows:
Be sure to match the RADIUS Secret defined on the RADIUS Server and that it is at least 22 characters long.
Secure SecurityUnder the Access Points, select each Radio you wish to show as available for this SSID.
Secure RadiosLabel the Network Name (SSID) for the Guest VLAN.
Check Enable VLAN tagging and enter the VLAN number for the Guest subnet.

Guest SSID

Under the Security tab, configure the settings as follows:
Guest SecurityUnder the Access Points, select each Radio you wish to show as available for this SSID.
Guest RadiosNow, the Access Points should show up under the Gateway Wireless Controller.
Access Points
Add a Firewall Policy under FIREWALL settings as follows:
Firewall PolicyNext, click on the Policy to add the Access Points and RADIUS Server to the configuration.
Add each Access Point in the FROM list and the RADIUS Server in the TO list. Leave all else as defaults.
Policy SettingsAdd the Wifi Group defined in AD and select RADIUS as the Authentication Server under AUTHENTICATION settings.
The Group Name needs to match the Group defined in RADIUS Server allowed access to connect to the Access Points.

Double NAT to allow IPSEC VPN on firewall behind router or firewall

On your Site 1 internet router/firewall, NAT the following ports to your VPN firewall’s External IP address


Note: To setup a proper IPSEC VPN on a firewall that is behind an internet facing router/firewall, your IPSEC VPN firewall must be assigned an internal IP address. The above example shows the IPSEC VPN firewall as

This is the IP subnet that is hosted by the internet router/firewall. is what the External interface of the IPSEC VPN firewall is assigned. Its internal subnet must be on a different subnet. This example will use

The IPSEC VPN tunnel configuration is exactly identical as if the device was the internet facing device.

In the VPN tunnel configuration, setup your local gateway to what the internet facing device (External) IP address is assigned.

On the remote IPSEC VPN tunnel, configure its remote IP address to the same IP address that is assigned to the above local gateway.


Site 1 (Home)                                                   Site 2 (Business)

Local GW:                                             Local GW:
Remote GW:                                      Remote GW:
Internal:                                Internal:
Remote:                                Remote:


How to use OneDrive for Business for an Organization

As you may be aware, Microsoft’s OneDrive for Business (ODfB) isn’t quite what we’d expect to have for use as an online solution for storing and sharing files for a department or company. It really isn’t designed to house all of your department files, rather it is simply an online extension of your My Documents folder, if you set that as your local folder to synchronize with. Microsoft will tell you that if you want to offer department or company wide file storage and collaboration to use SharePoint, which currently provides 10GB of data storage per company. That isn’t much storage at all and they know it, that’s why they offer additional storage at a cost per GB. They know that once companies get comfortable and like the convenience of their online storage that offers great collaborative features, companies will be willing to forgo a few bucks per GB to keep their data readily available for everyone. ODfB currently allows up to 1TB of storage space per user, but I have been told by Microsoft’s customer support that this is soon to be opened up to being unlimited storage.

After some testing, I’ve devised a way in which you can provide ODfB to your departments and entire company with minimal effort. Administration of the directory structure is really no different than what you are used to on premise. The best part is that once configured and implemented, everything stored on ODfB will synchronize with your on premise file server, so you have a local copy of everything in the cloud.

The short of it is simply to use an AD account with administrative privileges, both online and on premise to setup your ODfB file sharing. Install ODfB on your file server and set your desired directory for synchronization. Until Microsoft opens up the ODfB to unlimited storage, if you run out of data online, simply create or use another AD account to gain an additional 1 TB of space. The license per user, per month is far less than the storage space you’d be paying for using SharePoint.

Switch VLAN Tags on Switchports

Connect into the Cisco switch:




Ensure no other users are logged in:


If more than one user is logged in, ensure the other user(s) log out prior to making any changes.

Show running config:


Scroll down to the switchport needing changed. When –More– shows, press the spacebar to view more of the configuration:

Once the switchport is in view, press the Esc key to end scrolling the config:

Enter configuration terminal mode:


Using the cursor, highlight the switchport needing changed by left clicking in front of the line and scrolling right until you highlight the switchport number:


Right click and the highlighted text will copy and paste into your config line:


Press Enter and that allows that particular switchport interface to be edited:


Using the cursor, highlight the switchport access vlan needing changed by left clicking in front of the line and scrolling right until you highlight the vlan number:


Right click and the highlighted text will copy and paste into your config line:

Press the Delete key to remove the current vlan number and enter the new vlan you wish to assign to the switchport:


Continue making additional switchport changes by using your up arrow key to display the switchport line from the history and change the switchport number to your desired switchport number. Once the change has been made, press Enter and use the same feature to change the vlan tag as well.

Exit the terminal and configuration mode by entering ‘exit and press Enter’ twice:


Save running config to startup config:


Port Forwarding to Host on ASA

To forward a port to a device behind the firewall on your inside subnet, follow the steps below:

Using the ASDM, Add Network Object under the Configuration/Firewall/Objects/Network Objects/Groups settings.

Provide a Name, select Host and enter it’s IP Address.
Check the Add Automatic Address Translation Rules box.
Ensure the Type is Static.
Set the Translated Addr to outside.
Click on the Advanced… button.
Set the Source Interface to inside and the Destination Interface to outside.
Select the correct Protocol Service, then enter the correct Real Port and Mapped Port.
Click OK.


Add Access Rule under Configuration/Firewall/Access Rules.
Set the Interface to inside.
Set Action to Permit.
Set Source to any
Set Destination to the device you are forwarding the port to.
Set the Service to the Protocol/Port you are forwarding.
Click OK.port2

Configure ASA for S2S IPSEC VPN

In the toolbar in the ASDM, select Wizards/VPN Wizards/Site-to-site VPN Wizard…

Step 1: Click Next on the Introduction screen.
Step 2: Enter the Peer IP Address for the remote site and ensure the VPN Access Interface is set to outside, click Next


Step 3: Browse the Local Network by clicking on the three to the right of the Local Network field.
Select inside-network and click on the Local Network button, then click OK
Enter the Remote Network IP/Class for the remote subnet, Example( then click Next


Step 4: Select Simple Configuration, enter the Pre-shared Key and click Next


Step 5: Exempt the Inside interface by marking the box with a checkmark and click Next


Step 6: Review the configuration and click Finish if everything is correct, click Back to make any changes needed.


Uncheck IKEv2 Enabled checkbox, then click Edit on the Connection Profile you just created.


Verify the appropriate IKE Policy is used in the Ipsec Settings/IKE v1 Settings/Encryption Algorithms, if not, click Manage and Add it.


Click Apply, then Save