Dwarfsoft [GPA]

I had started another post on Group Policy editing, and how the Policy files are structured, and how to use and improve on the existing Group Policy Editor tool. The post has been found to be far too epic, so I have decided to cover a smaller subset of recent finds.

As everybody is probably already aware, we use Novell ConsoleOne and Zenworks where I work. ConsoleOne has some interesting features that require that whenever a Group Policy is being edited it takes over as the policy on the machine that is editing it. Rather than have a useful tool like Microsofts Group Policy Management Console, Novell likes to replace the local Group Policy and then just run gpedit.msc. Which is where my first gripe about gpedit.msc comes in:

GPEdit.msc requires line by line entry of things like, for example, port exceptions and program exceptions for the Windows Firewall. This is usually not an issue except that, as I have discussed in previous posts, we have been moving towards a Windows Domain environment. Firewall Exception rules are configured within two places in Group Policy: Domain Profile and Standard Profile. I have found that there is a need to move our current Standard Profile settings across to the Domain Profile settings. After a bit of registry searching I found a neat trick for doing exactly that.

(continue reading…)

Recently I have been working on some rather complicated projects preparing our SOE to move from Novell eDirectory to an Active Directory environment. One of the packages I built was required to run periodically and so I set up a Scheduled Task to accomplish this. Rather than introduce a security risk by creating a new Administrator Account I just created the scheduled task to run as the local SYSTEM account. It turns out that the SYSTEM account does not have as much access as I required, especially when managing user registry hives.

After quite some time looking in to how to achieve my goal I came up with a rather simple, yet ultimately hacky, solution. Give the SYSTEM Account Administrative Privileges.

(continue reading…)

As promised, here are the scripts required for the Pre-staging of Domain User Profiles on the local machine. The first thing we need to do is Enumerate all the Local User Accounts.

Function StageAllUsers(DomainFQDN, strDomain)
   ' Enumerate all users that are Local and not built in accounts.
   strComputer = "."
   Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
   'Enumerate users where the User Domain is the Local Machine
   Set colItems = objWMIService.ExecQuery _
                  ("Select * from Win32_UserAccount " & _
                   "Where Domain = '" & GetComputerName & "' " & _
                   "And Disabled = FALSE And Name <> 'Administrator'")
   ' Stage each user
   For Each objItem In colItems
      ' Ensure the account actually has a profile (otherwise we can ignore it)
      If GetLocalUserProfile(objItem.Name) <> "" Then
         ret = StageUser(objItem.Name, DomainFQDN, strDomain)
      End If
   Next
End Function

The functions called here are GetComputerName, which returns the name of the local machine, and the other important ones are GetLocalUserProfile and Stage User. The first we can check is GetLocalUserProfile. (continue reading…)

Well, I have been very slack in that I haven’t updated with my Group Policy investigations or the eDirectory VBScript classes I was working on, but what I have been involved in recently is working on Migrating Workstations from Novell eDirectory to Active Directory.

In this process I have come across an array of options in migrating accounts from a Local User account to Domain User account and transferring the profiles across to keep the user “look and feel” that they are accustomed to.

One problem: In this scenario it makes for a very manual rollback strategy, no matter how much scripting and automation is involved in the migration process. This boils down to Novells implementation of “Dynamic Local User” which effectively creates a Local User Account that is not really bound to a User Account in eDirectory for Authentication or mapping purposes (which you can see if you look at the account SIDs).

(continue reading…)

I was required recently to audit passwords on all the Novell GroupWise accounts in the cluster. This was not too much of a problem using existing solutions, except that all the existing solutions limited searches to either Users, or to objects with the “NGW: Object ID” attribute.

The Solutions I found include Check GroupWise Users for Password – Batch and Check GroupWise Users for Password – Exe, both of which made use of GWSend. Being an avid scripting aficionado myself I opted for the first, so I could make changes.

First step was to export all User Objects with NGW: Object ID into an Excel sheet using DSReport. Then export all GroupWise External Entities with NGW: Object ID to a different Excel Sheet. Finally I needed to export all GroupWise Resources, which do not have an NGW: Object ID, but their CN is effectively the NGW: Object ID for which we can log in and try to send emails. Upon completing this I compiled a single list of Allusers.csv which had the NGW: ObjectID/CN in the first column, and the DN for the Object Name and Location within the tree. This makes it far easier to track down the location of generic accounts (Something that none of the scripts account for).

(continue reading…)

Beginning Game Programming: A GameDev.Net Collection

Well, as some of you may know, I was involved in writing a series of articles that started back in 2001 and continued until 2004 on some simple programming concepts using C++. An Introduction to Pointers, Structures and Linked Lists has now made a home for itself inside the new GameDev.Net book; Beginning Game Programming: A GameDev.Net Collection. This book is a collection of edited articles that have been posted to GameDev.Net over a period of years.

(continue reading…)

Before I jump in to the fun that is the Scripting that I have been wading through this past week, I thought I’d let all of those who may care that I finally have some kind of certification. I passed Microsoft exams 70-291 and 70-284. So I am now the proud holder of a Microsoft Certified Systems Administrator Messaging Specialist certification (MCSA Messaging). Now I am concentrating on the final three exams so that I can get my MCSE.

After a rather hectic week of scripting a solution and then distributing it under an excessively short deadline, I have been asked to provide stats on the result of forcing this solution out to clients. The solution that I had to develop keeps tabs on a System Volume Image of PCs, and ensures that this Image never gets out of date too far. Currently I am not forcing a Store every restart, as the planned solution was to do, but I do inform the client that their current Image is out of date and ask them if they want to do a Store now. If they click on Yes then their PC is rebooted and the Store is done (providing that one of many flaws in the current Store process do not interrupt the process). (continue reading…)

Since my last post I came to the realisation that I really didn’t like the way that the Diskpart box popped up on screen during the function call, so I did what I said I should have done and created the function the other way. This also cleans up the text files after completion, which is something the previous function didn’t do.

For completeness I also made the function a little more generic, so it takes the Volume Label as the Variable, and falls back to “IMAGE” if none was passed.

(continue reading…)

I have spent the last few days creating a few MSI packages and fixing some pre-existing MSI packages. One issue that I found with working on an MSI that installs files to a Hidden partition is that InstallShield has very little in the way of control over partitions, mountpoints and the like. This was not really an issue, as I am using a SOE and can Mount Volumes through VBScript.

The one issue that we had with mounting this specific Volume is that if a USB Drive or a Virtual CD/DVD drive is installed on the machine, it modifies the volume numbering scheme. The volume we were previously attempting to mount was Volume 3. This became Volume 4 in the even that another drive was connected, or a higher number depending on how the USB drive was partitioned.

Not a grand issue, but one that was overlooked by the Corporate boys when they released one of their imaging tools (the hidden volume is the Image volume). I modified their install script to use a bit more smarts when attempting to find the volume it needs. (continue reading…)

Interesting moves happening at work. Today I moved into a Networks role. Originally it was intended that I be doing 80% Servers and 20% Networks due to the solid input I have provided within the Server team to date. This has now been changed to 80% Networks and 20% Servers. The guy who I am filling in for didn’t like the idea of his role being technically abandonned, and I agree with him. There will definitely be some Server Action from my end anyway, because I have a keen interest in running with a few ideas.

Trav and I have approached the Server team with an idea on distributing apps more effectively, relying mainly on network addresses of the PCs to correctly locate an application server. This brings up a few logistical hurdles. (continue reading…)