So, rather than fix the source of the problem I work within the structure I am given. After my forays in the past couple of days I found it immensely frustrating trying to get the Product Code key to update our documentation for each MSI which had been rebuilt. This is because, up until now, I had been installing the MSI and searching for the MSI name under HKEY_CLASSES_ROOT\Installer\Product\. The code displayed under this key had confused me for quite some time until I found some information regarding a “Packed GUID“.

As it turns out, the code I linked to doesn’t work. It did, however, lead me to figure out HOW to make it work by making me assess each of the “chunks” in the original GUID.

Effectively there are 5 parts to Each GUID
{11111111-2222-3333-4444-555555555555}

The “Packed GUID” is a regrouping of these numbers, removing the dashes and braces. So, for the first group (11111111) the order in the original GUID appears as ABCDEFGH. The order in the Packed GUID is HGFEDCBA. The Second group (2222) is appended in reverse again (from ABCD to DCBA). The third group is also appended in reverse (from ABCD to DCBA).

The last two groups are a little more complex. Each pair is switched such that for group four (4444) the original GUID appears as ABCD but the packed guid appears as BADC. The last group (555555555555) follows this order as well so for the order ABCDEFGHIJKL the packed GUID will be appended reordered as BADCFEHGJILK.

In VBScript Terms this can be expressed as the following:

Function PackGUID(guid)  
   PackGUID = ""  
   '*  
   Dim temp  
   temp = Mid(guid,2,Len(guid)-2)  
   Dim part  
   part = Split(temp,"-")  
   Dim pack  
   pack = ""  
   Dim i, j  
   For i = LBound(part) To UBound(part)
      Select Case i
     Case LBound(part), LBound(part)+1, LBound(part)+2
         For j = Len(part(i)) To 1 Step -1  
            pack = pack & Mid(part(i),j,1)  
         Next  
     Case Else
        For j = 1 To Len(part(i)) Step 2  
            pack = pack & Mid(part(i),j+1,1) & Mid(part(i),j,1)  
         Next  
     End Select
   Next  
   '*  
   PackGUID = pack  
End Function

So, this was the first step for the time saving measure of extracting the right code. The next issue was how to get the codes in the first place. I knew that there had to be an easier way than opening up InstallShield and Copying out the Codes manually. The first thing that came to mind was the Summary Information Stream of an MSI file (as you can see by right-clicking on an MSI and going to Properties, then Summary). There was a lot of information about this, particularly from MSDN. This lead me to getting the Package Code:

   'create installer object
   Set objDictionary = CreateObject("Scripting.Dictionary")
   Set oInstaller = CreateObject("WindowsInstaller.Installer")
   'open msi in read-only mode
   Set oDatabase = oInstaller.OpenDatabase(MSIPath, 0)
   ' Get Package Code from Summary Information Stream   
   Set streamobj = oDatabase.SummaryInformation(0) '0 = read only
   objDictionary("PackageCode") = streamobj.Property(9)

This is useful, but the Code that HKCR\Installer\Product\{Packed GUID} references comes from the MSI Product Code. So I went back to the drawing board and researched VBScript Installer Database Product Code some more and found this, followed by this gem. From here it was very easy to pull out GUID’s from the MSI packages, and I didn’t even need to do it on a machine with InstallShield actually Installed. The Windows Installer takes care of everything.

Complete code (from start to finish):

'Created by:   Chris Bennett
'Created Date: 22/06/2010
'Description:
'   Opens up MSI file(s) Passed as Arguments and returns ProductName, ProductCode,
'   The HKCR key created from ProductCode (a Packed GUID of ProductCode), the PackageCode
'   and the UpgradeCode of the MSI. Much quicker than getting these out of the MSI's the
'   Manual Way.

'References:
'  http://msdn.microsoft.com/en-us/library/aa369794%28VS.85%29.aspx
'  http://www.eggheadcafe.com/forumarchives/platformsdkmsi/Jan2006/post25948124.asp

For Each MSIPath in WScript.Arguments
  Set MSIDetails = EvaluateMSI(MSIPath)
  WScript.Echo MSIPath & ": "
  WScript.Echo "   Product Name: " & MSIDetails("ProductName")
  WScript.Echo "   Product Code: " & MSIDetails("ProductCode")
  WScript.Echo "   Product Key : " & "HKCR\Installer\Products\" & PackGUID(MSIDetails("ProductCode"))
  WScript.Echo "   Package Code: " & MSIDetails("PackageCode")
  WScript.Echo "   Upgrade Code: " & MSIDetails("UpgradeCode")
  WScript.Echo ""
Next
 
Function EvaluateMSI(MSIPath)
   On Error Resume Next
   'create installer object
   Set oInstaller = CreateObject("WindowsInstaller.Installer")
   'open msi in read-only mode
   'Set oDatabase = oInstaller.OpenDatabase("d:\USERDATA\BennettCm\Desktop\EN-UNHIDE-OUTLOOK-1-01.msi", 0)
   Set oDatabase = oInstaller.OpenDatabase(MSIPath, 0)
   Set objDictionary = CreateObject("Scripting.Dictionary")
 
   ' Get Package Code from Summary Information Stream   
   Set streamobj = oDatabase.SummaryInformation(0) '0 = read only
   objDictionary("PackageCode") = streamobj.Property(9)
 
   ' Get Product Name from MSI Database
   Set View = oDatabase.OpenView("Select `Value` From Property WHERE `Property`='ProductName'")
   View.Execute
   Set ProductName = View.Fetch
   objDictionary("ProductName") = ProductName.StringData(1)
 
   ' Get Product Code from MSI Database
   Set View = oDatabase.OpenView("Select `Value` From Property WHERE `Property`='ProductCode'")
   View.Execute
   Set ProductCode = View.Fetch
   objDictionary("ProductCode") = ProductCode.StringData(1)
 
   ' Get Upgrade Code from MSI Database
   Set View = DB.OpenView("Select `Value` From Property WHERE `Property`='UpgradeCode'")
   View.Execute
   Set UpgradeCode = View.Fetch
   objDictionary("UpgradeCode") = UpgradeCode.StringData(1)
 
   Set EvaluateMSI = objDictionary
   On Error Goto 0
End Function
 
Function PackGUID(guid)  
   PackGUID = ""  
   '*  
   Dim temp  
   temp = Mid(guid,2,Len(guid)-2)  
   Dim part  
   part = Split(temp,"-")  
   Dim pack  
   pack = ""  
   Dim i, j  
   For i = LBound(part) To UBound(part)
      Select Case i
     Case LBound(part), LBound(part)+1, LBound(part)+2
         For j = Len(part(i)) To 1 Step -1  
            pack = pack & Mid(part(i),j,1)  
         Next  
     Case Else
        For j = 1 To Len(part(i)) Step 2  
            pack = pack & Mid(part(i),j+1,1) & Mid(part(i),j,1)  
         Next  
     End Select
   Next  
   '*  
   PackGUID = pack  
End Function

Run from cscript it outputs like:

P:\Folder\To\MSI\MSI Name.msi:
   Product Name: MSI Name
   Product Code: {A2961B30-4875-4535-AE36-DA064263BA50}
   Product Key : HKCR\Installer\Products\03B1692A57845354EA63AD602436AB05
   Package Code: {5F735447-A72D-4571-8C8D-AD80E2B30F22}
   Upgrade Code: {A2961B30-4875-4535-AE36-DA064263BA50}

I created a Batch File that also makes use of this script to trawl through folders pulling out the information and dumping it into a Codes.txt file.

@ECHO OFF
REM Created By:   Chris Bennett
REM Created Date: 22/06/2010
REM Description:
REM    Finds MSI''s under the current Directory (or passed Directory)
REM    Calls GetMSICodes.vbs to extract the MSI Package,Product and Upgrade Codes
REM    Saves these codes into Codes.txt
 
CD /D %~dp0
IF /I "%~1" NEQ "" CD /D %1
FOR /F "tokens=* delims=" %%A IN ('DIR *.MSI /B /S') DO (
  cscript.exe GetMSICodes.vbs "%%A" //Nologo >> Codes.txt
  )

Hope you enjoyed, I certainly did

Cheers, Chris.

As everybody is probably already aware, we use Novell ConsoleOne and Zenworks where I work. ConsoleOne has some interesting features that require that whenever a Group Policy is being edited it takes over as the policy on the machine that is editing it. Rather than have a useful tool like Microsofts Group Policy Management Console, Novell likes to replace the local Group Policy and then just run gpedit.msc. Which is where my first gripe about gpedit.msc comes in:

GPEdit.msc requires line by line entry of things like, for example, port exceptions and program exceptions for the Windows Firewall. This is usually not an issue except that, as I have discussed in previous posts, we have been moving towards a Windows Domain environment. Firewall Exception rules are configured within two places in Group Policy: Domain Profile and Standard Profile. I have found that there is a need to move our current Standard Profile settings across to the Domain Profile settings. After a bit of registry searching I found a neat trick for doing exactly that.

In Novell, when a GPO is opened in gpedit.msc the Group Policy Contents are loaded into the normal registry locations (as per a normal GPO being applied to user and machine) and the contents are also loaded under a specific pair of registry keys. The HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects Key is created on loading gpedit.msc, and underneath a pair of Keys are created like {449E44B0-A4DC-4665-AE8F-68710E1BC1EC}Machine and {449E44B0-A4DC-4665-AE8F-68710E1BC1EC}User, where the GUID is randomly generated (or at least seems to be random) each time gpedit.msc is run. Under these keys are the branch on which the Group Policy Settings are configured.

So therefore in order to duplicate StandardProfile Settings I need to duplicate all keys and values underneath HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{GUID}Machine\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\, where {GUID} is the randomly generated GUID for editing a Group Policy Object. So far from my research I have never seen more than one GUID appear underneath the Group Policy Objects key, though your mileage may vary. So the first step is to get the User and Machine keys from under the Group Policy Objects key.

Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
 
Const REG_SZ = 1
Const REG_EXPAND_SZ = 2
Const REG_BINARY = 3
Const REG_DWORD = 4
Const REG_MULTI_SZ = 7
 
strComputer = "."
 
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
 strComputer & "\root\default:StdRegProv")
 
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\"
strStandardPath = "\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\"
strDomainPath = "\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"
 
If keyExists(HKEY_CURRENT_USER,strKeyPath) Then
  subkeys = GetSubkeys(HKEY_CURRENT_USER,strKeyPath)
  If Not IsEmpty(subkeys) Then
    GPOMachine = subkeys(LBound(subkeys)) 
    GPOUser    = subkeys(UBound(subkeys))
 
    RegCopyTree HKEY_CURRENT_USER, strKeyPath & GPOMachine & strStandardPath, strKeyPath & GPOMachine & strDomainPath, False
  Else
    WScript.Echo "Policy not found, please try editing the policy manually"
  End If
Else
  WScript.Echo "Please start editing the Group Policy before running this script"
End If

The code here is the shell of the script. We need to flesh out the functions keyExists, GetSubkeys, RegCopyTree, and valueExists (which we can’t see just yet). So first we will have a look at keyExists:

Function keyExists(Hive, Key)
  On Error Resume Next
  Err.Clear
 
  ret = objReg.EnumValues(Hive,Key,arrValues,arrValueTypes)
 
  If ret <> 0 Then
    keyExists = False
  Else
    keyExists = True
  End If
  Err.Clear
  On Error Goto 0
End Function

Fairly straightforward, we try and enumerate the values of a key. If we succeed then the key does exist, otherwise it doesn’t. We will use the same principle for checking if a Value Exists.

Function valueExists(Hive, Key, ValueName)
  On Error Resume Next
  Err.Clear
 
  valueExists = False
  If Not keyExists(Hive, Key) Then
    Exit Function
  End If
 
  ret = objReg.EnumValues(Hive,Key,arrValues,arrValueTypes)
 
  If IsNull(arrValues) Then
    Exit Function
  End IF
 
  For i = LBound(arrValues) to UBound(arrValues)
    If LCase(CStr(arrValues(i))) = LCase(CStr(ValueName)) Then
	  valueExists = True
	  Exit Function
	End If
  Next
 
  valueExists = False
 
  Err.Clear
  On Error Goto 0
End Function

Here, we take the Enumeration of the Keys Values a step further and actually step through them looking for a match with ValueName. I have opted for a Case Insensitive search due to registry being case insensitive with value names.

Function GetSubkeys(Hive, Key)
  On Error Resume Next
  Err.Clear
 
  ret = objReg.EnumKey(Hive,Key,arrSubkeys)
 
  GetSubkeys = arrSubkeys
 
  Err.Clear
  On Error Goto 0
End Function

Possibly the simplest of the functions, GetSubkeys just returns an array of Keys underneath the current Key. The most indepth function we require is the RegCopyTree:

Function RegCopyTree(Hive, SrcKey, DestKey, Force)
  On Error Resume Next
  Err.Clear
  strComputer = "."
  Set StdOut = WScript.StdOut
  strValue = ""
  If Force <> True Then
    Force = False
  End If
 
  if Right(SrcKey,1) <> "\" Then SrcKey = SrcKey & "\"
  if Right(DestKey,1) <> "\" Then DestKey = DestKey & "\"
 
  ret = objReg.EnumValues(Hive,SrcKey,arrValueNames,arrValueTypes)
 
  For i= LBound(arrValueNames) To UBound(arrValueNames)
    'StdOut.WriteLine "Value Name: " & arrValueNames(i) 
	StdOut.WriteLine "Copying from: " & SrcKey & arrValueNames(i)
	StdOut.WriteLine "To          : " & DestKey & arrValueNames(i)
    StdOut.Write     "       Value: "
 
	If (Not valueExists(Hive, DestKey, arrValueNames(i))) Or Force Then
	  Select Case arrValueTypes(i)
			Case REG_SZ
				'StdOut.WriteLine "Data Type: String"
				'StdOut.WriteBlankLines(1)
				
				objReg.GetStringValue Hive, SrcKey, arrValueNames(i), strValue
				objReg.SetStringValue Hive, DestKey, arrValueNames(i), strValue
				StdOut.Write strValue
			Case REG_EXPAND_SZ
				'StdOut.WriteLine "Data Type: Expanded String"
				'StdOut.WriteBlankLines(1)
				
				objReg.GetExpandedStringValue Hive, SrcKey, arrValueNames(i), strValue
				objReg.SetExpandedStringValue Hive, DestKey, arrValueNames(i), strValue
				StdOut.Write strValue
 
			Case REG_BINARY
				'StdOut.WriteLine "Data Type: Binary"
				'StdOut.WriteBlankLines(1)
				
				objReg.GetBinaryValue Hive, SrcKey, arrValueNames(i), strValue
				objReg.SetBinaryValue Hive, DestKey, arrValueNames(i), strValue
				For Each x in strValue
		          StdOut.Write Hex(x) & " "
		        Next
 
			Case REG_DWORD
				'StdOut.WriteLine "Data Type: DWORD"
				'StdOut.WriteBlankLines(1)
				
				objReg.GetDWORDValue Hive, SrcKey, arrValueNames(i), strValue
				objReg.SetDWordValue Hive, DestKey, arrValueNames(i), strValue
 
				StdOut.Write Hex(strValue)
			Case REG_MULTI_SZ
				'StdOut.WriteLine "Data Type: Multi String"
				'StdOut.WriteBlankLines(1)
				
				objReg.GetMultiStringValue Hive, SrcKey, arrValueNames(i), strValue
				objReg.SetMultiStringValue Hive, DestKey, arrValueNames(i), strValue
				For Each x in strValue
		          StdOut.Write x
		        Next
		End Select 
 
		StdOut.WriteLine ""
    End If '' Force
  Next
 
  ret = objReg.EnumKey(Hive,SrcKey,arrSubkeys)
 
  For i = LBound(arrSubkeys) to UBound(arrSubkeys)
    If Not keyExists(Hive,DestKey & arrSubkeys(i)) Then
	  objReg.CreateKey Hive,DestKey & arrSubkeys(i)
	End If
	RegCopyTree Hive, SrcKey & arrSubkeys(i), DestKey & arrSubkeys(i), Force
  Next
 
  On Error Goto 0
End Function

This function takes the Hive, Source Key, Destination Key, and a Boolean Value to determine whether to Force overwriting existing values. It first creates the Destination key if it doesn’t already exist, then enumerates all values in the Source path, and writes them to the Destination path, creating new values or overwriting only if Force is set. This function has a lot of StdOut.Write calls to show the progress of the duplication. Running the script via CScript gives the following results:

Copying from: Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{678C8897-54AA-4FB9-AA72-6C227C287D12}Machine\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
To          : Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{678C8897-54AA-4FB9-AA72-6C227C287D12}Machine\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
       Value: 1
Copying from: Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{678C8897-54AA-4FB9-AA72-6C227C287D12}Machine\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\Enabled
To          : Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{678C8897-54AA-4FB9-AA72-6C227C287D12}Machine\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\Enabled
       Value: 1
...

This should simplify the time taken for duplicating from Standard to Domain profile. For future reference this has also made it far easier to import/export port/program exceptions from policies I am editing. In future I may incorporate this into my Group Policy Firewall Exceptions Excel Spreadsheet in VBA to allow writing updated policies to the Policy.

After running this the settings will be seen to have changed in the Group Policy Editor Window immediately. I have tested this and checked that the Logging file is not replaced by “…\standard.log” where it should be “…\domain.log”.

Cheers, Chris.

Attached: RegFirewallProfileDuplication.vbs

After quite some time looking in to how to achieve my goal I came up with a rather simple, yet ultimately hacky, solution. Give the SYSTEM Account Administrative Privileges.

It turns out that the SYSTEM Account, despite not having Administrator level permissions, does have permission to modify group memberships. As such I came up with two functions to manage these permissions for itself:

'*****************************************************************
' Elevates the System Account to a Member of the Administrators Group
Function ElevateSystem
  strSystemUser = "WinNT://NT AUTHORITY/SYSTEM"
  Set objGroup = GetObject("WinNT://./Administrators,group")
  If Not objGroup.isMember(strSystemUser) Then
    objGroup.Add (strSystemUser)
  End If
End Function
 
'*****************************************************************
' Removes the System Account from the Administrators Group
Function RelegateSystem
  strSystemUser = "WinNT://NT AUTHORITY/SYSTEM"
  Set objGroup = GetObject("WinNT://./Administrators,group")
  If objGroup.isMember(strSystemUser) Then
    objGroup.Remove (strSystemUser)
  End If
End Function

I just run ElevateSystem at the start of the script and then RelegateSystem at the end of the script and I have no issue with permissions anymore.

Elegant, yet hacky. Hope somebody found this useful, because it sure beats creating (and then managing) a new Administrator User on thousands of Workstations.

N.B. I should also point out that if you are installing a script onto Workstations that you will be using this kind of workaround on, make sure you set the permissions on it. The last thing you need is somebody hijacking your script to do whatever they want with Administrative Privileges.

Cheers, Chris.

In order to maintain current BGInfo information the implementation is running periodically, so this is unnacceptable. Therefore I had to work to resolve the issue manually. As I have had a fair bit of experience with Windows Profiles recently (see the last blog post) I was familiar with the ProfileLoadTimeHigh and ProfileLoadTimeLow registry keys in the ProfileList. So I set out to determine how to actually use these to determine the login time. I first wrote some code to get the User SID based on the users “%userdomain%” and “%username%”:

DIM oNet, strComputerName, strUserName, strUserDomain
SET oNet = CreateObject("WScript.Network")
strComputerName = oNet.Computername
strUserName = oNet.UserName
strUserDomain = oNet.UserDomain
SET oNet = nothing
 
Set WMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
 
SubKey = ""
 
Set wmiCol = WMI.ExecQuery ("SELECT Domain, Name, SID FROM Win32_Account where Name="""&strUserName&""" And Domain="""&strUserDomain&"""")
For each wmiItem in wmiCol
  SubKey = wmiItem.SID
  Exit For
Next

So I set Subkey to be the String SID of the user, which I could then use to read the ProfileLoadTimeHigh and ProfileLoadTimeLow keys for the correct profile. I used the basic script from MyITForum, however this failed to take into account the timezone on the local machine. Therefore the first thing I needed to do was get the users timezone.

tz = 0
For Each os In GetObject("winmgmts:").InstancesOf ("Win32_OperatingSystem")
  tz = os.CurrentTimeZone
  Exit For  
Next

Then I integrated the Timezone offset (in minutes) into the original ProfileLoadTime script.

Const HKEY_LOCAL_MACHINE = &H80000002
 
strReturn = ""
 
Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv"  )
strKeyPath = "SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\ProfileList\" & SubKey 
 
strValueName = "ProfileLoadTimeHigh"
Return = objReg.GetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName,lngHighValue)
strValueName = "ProfileLoadTimeLow"
Return = objReg.GetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName,lngLowValue)
If typename(lngHighValue) <> "Null" then
  NanoSecs = (lngHighValue * 2 ^ 32 + lngLowValue)
  '' /* Returns time in Workstation Timezone */
  DT = #1/1/1601# + (NanoSecs / 600000000 / 1440) + (tz / 1440)
  strReturn = CDate(DT)
End if

Finally the output is printed as per a standard BGInfo script

On Error Resume Next
	call WScript.Echo(strReturn)	'for cmd line
	call Echo(strReturn)	'for BGInfo
on error goto 0

This works for Power Users as well, which the original script did not (due to permissions issues). Hope this helped you in some way

Cheers, Chris.

Function StageAllUsers(DomainFQDN, strDomain)
   ' Enumerate all users that are Local and not built in accounts.
   strComputer = "."
   Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
   'Enumerate users where the User Domain is the Local Machine
   Set colItems = objWMIService.ExecQuery _
                  ("Select * from Win32_UserAccount " & _
                   "Where Domain = '" & GetComputerName & "' " & _
                   "And Disabled = FALSE And Name <> 'Administrator'")
   ' Stage each user
   For Each objItem In colItems
      ' Ensure the account actually has a profile (otherwise we can ignore it)
      If GetLocalUserProfile(objItem.Name) <> "" Then
         ret = StageUser(objItem.Name, DomainFQDN, strDomain)
      End If
   Next
End Function

The functions called here are GetComputerName, which returns the name of the local machine, and the other important ones are GetLocalUserProfile and Stage User. The first we can check is GetLocalUserProfile.

'Gets the Profile Path for the User passed in UserName.
' This requires the profile to exist on the local machine
' Returns an empty string on error
Function GetLocalUserProfile(UserName)
   On Error Resume Next
   GetLocalUserProfile = ""
   SDDL = GetLocalUserSDDL(UserName)
   If SDDL = "" Then
      Exit Function
   End If
   Set objShell = CreateObject("WScript.Shell")
   GetLocalUserProfile = objShell.ExpandEnvironmentStrings( _
                            objShell.RegRead( _
                               "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\" & _
                               SDDL & _
                               "\ProfileImagePath"))
  On Error Goto 0
End Function

The registry path (including the SDDL, covered next) returns the profile path for the user. This relies on a function called GetLocalUserSDDL which goes as follows:

Function GetLocalUserSDDL(UserName)
   strComputer = "."
   Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
   'Enumerate users where the User Domain is the Local Machine
   'and the username matches the Supplied Name
   Set colItems = objWMIService.ExecQuery _
                     ("Select * from Win32_UserAccount  " & _
                      "Where Domain = '" & GetComputerName & "' " & _
                      "And Name = '" & UserName & "'")
   GetLocalUserSDDL = ""
   For Each objItem In colItems
      'Get the first returned SID/SDDL then exit
      GetLocalUserSDDL = objItem.SID
      Exit Function
   Next
End Function

This reads the SDDL (eg S-1-5-21-791012361-4073638415-1907800938-1006 or otherwise known as the String SID) for the User on the local machine. The next major function is Stage User:

Function StageUser(UserName, DomainFQDN, strDomain)
   Set objShell = CreateObject("WScript.Shell")
   ' Not Assuming "C:\Documents and Settings\" & UserName:
   '   Get SDDL of user via WMI interrogation of UserAccount
   '   Get Profile Location of user (from HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\" & SDDL & "ProfileImagePath"
   strProfile = GetLocalUserProfile(UserName)
 
   ' Set ACLs on ProfileLocation
   ret = objShell.Run("subinacl /subdirectories """ & strProfile & """ /grant=""" & UserName & "@" & DomainFQDN & """=F",0,True)
 
   ' Set ACLs on D:\UserData\%username%
   ret = objShell.Run("subinacl /subdirectories ""D:\UserData\" & UserName & """ /grant=""" & UserName & "@" & DomainFQDN & """=F",0,True)
 
   ' Reg load ProfileLocation\NTUSER.DAT into HKU\%username%
   ret = objShell.Run("reg load ""HKU\" & UserName & """ """ & strProfile & "\NTUSER.DAT""" ,0,True)
   ' Reg load ProfileLocation\Local Settings\Application Data\Microsoft\Windows\UsrClass.DAT into HKU\%username%_Classes
   ret = objShell.Run("reg load ""HKU\" & UserName & "_Classes"" """ & strProfile & "\Local Settings\Application Data\Microsoft\Windows\UsrClass.DAT""" ,0,True)
 
   'Try both of the following. One should fail, the other should pass.
   ' Set ACLs on HKU\%username%
   ret = objShell.Run("subinacl /subkeyreg ""HKEY_USERS\" & UserName & """ /grant=""" & UserName & "@" & DomainFQDN & """=F",0,True)
   ' If User is already logged in then the registry will be open at HKU\SDDL
   ret = objShell.Run("subinacl /subkeyreg ""HKEY_USERS\" & GetLocalUserSDDL(UserName) & """ /grant=""" & UserName & "@" & DomainFQDN & """=F",0,True)
 
   'Try both of the following. One should fail, the other should pass.
   ' Set ACLs on HKU\%username%
   ret = objShell.Run("subinacl /subkeyreg ""HKEY_USERS\" & UserName & "_Classes"" /grant=""" & UserName & "@" & DomainFQDN & """=F",0,True)
   ' If User is already logged in then the registry will be open at HKU\SDDL
   ret = objShell.Run("subinacl /subkeyreg ""HKEY_USERS\" & GetLocalUserSDDL(UserName) & "_Classes"" /grant=""" & UserName & "@" & DomainFQDN & """=F",0,True)
 
   ' Reg unload HKU\%username%
   ret = objShell.Run("reg unload ""HKU\" & UserName & """",0,True)
   ' Reg unload HKU\%username%_Classes
   ret = objShell.Run("reg unload ""HKU\" & UserName & "_Classes""",0,True)
 
   ' Get Domain User SID from ProfileLocation ACL
   arrSID = GetDomainUserSidFromFolderACL(strProfile, UserName, strDomain)
 
   If UBound(arrSID) > 0 Then
      ' Convert Domain User SID to SDDL
      WScript.Echo "Getting Sid for " & UserName
      SDDL = ArraySidToStrSid(arrSID)
 
      ' Stage Domain User Profile into Registry under HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\%DomainUserSDDL%
      ret = CreateAndLinkProfile(SDDL, arrSID, strProfile)
   Else
      'Account didn't exist in the domain or ACL failed to set on Folder
   End If
End Function

For the most part this function behaves by running external commands to mount registry hives, and set ACLs on folders and registry, all up until we call GetDomainUserSidFromFolderACL. This is where we retrieve the SID of the Domain User that we are pre-staging via the ACL we set earlier on the Local User Profile folder. This subverts the need to query Active Directory for the SID through other means.

Function GetDomainUserSidFromFolderACL(strFolder, strUserName, strUserDomain)
   Dim arrSID(0)
   GetDomainUserSidFromFolderACL = arrSID
 
   Set objFSO = CreateObject("Scripting.FileSystemObject")
   If Not objFSO.FolderExists(strFolder) Then
      Set objFSO = Nothing
      Exit Function
   End If
 
   ' Ensure that strFolder is of the form C:\\Documents and Settings\\UserName
    strFolderName = Replace(strFolder, "\\","\")
    strFolderName = Replace(strFolderName, "\","\\")
 
   Set wmiFileSecSetting = GetObject( _
      "winmgmts:Win32_LogicalFileSecuritySetting.path='" & strFolderName & "'")
 
   RetVal = wmiFileSecSetting. _
       GetSecurityDescriptor(wmiSecurityDescriptor)
   If Err <> 0 Then
       Exit Function
   End If
 
   ' Retrieve the DACL array of Win32_ACE objects.
   DACL = wmiSecurityDescriptor.DACL
 
   For each wmiAce in DACL
   ' Get Win32_Trustee object from ACE 
      Set Trustee = wmiAce.Trustee
      If (StrComp(Trustee.Name, strUserName, vbTextCompare) = 0) And _
         (StrComp(Trustee.Domain, strUserDomain, vbTextCompare) = 0) Then
         GetDomainUserSidFromFolderACL = Trustee.SID
         Exit Function
      End If
   Next
End Function

Although this subverts the need to Query Active Directory, this does also mean that we receive the SID in a format that is unexpected. Normally, via querying Active Directory we would have received a SID in an Octet String format. Querying the SID from WMI returned it in SDDL or String SID format. The format that we receive the SID from the ACL is in an Array of Integers. In order to Pre-stage an account we need the SDDL/String SID, and the only way to get this in VBScript is to manually convert it using some functions developed by Richard Mueller and Wilfred Wong in this newsgroup posting.

Instead of using only the code listed, we need to alter it for dealing with the SID array we received back from the ACL.

Function ArraySidToStrSid(arrSid)
   ' Function to convert OctetString (byte array) to Decimal string (SDDL) Sid.
   Dim strHex, strDec
 
   strHex = ArraySidToHexStr(arrSid)
   strDec = HexStrToDecStr(strHex)
   ArraySidToStrSid = strDec
End Function
 
Function ArraySidToHexStr(arrSid)
   ArraySidToHexStr = ""
   For Each x In arrSid
      ArraySidToHexStr = ArraySidToHexStr & _
         Right("0" & Hex(x), 2)
   Next
End Function

The HexStrToDecStr function is the same as it was from the Richard Mueller posting listed above.

Finally we just need to run through the actual staging of the account:

Function CreateAndLinkProfile(strNewSDDL, strNewSID, strProfilePath)
   WScript.Echo "Creating Profile for " & strNewSDDL & ": " & strProfilePath
   'Write Sid to registry
   ret = WriteRegBinaryToRegistry(HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" & strNewSDDL,"Sid",strNewSID)
   ret = WriteRegStringToRegistry(HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" & strNewSDDL,"ProfileImagePath",strProfilePath)
   ret = WriteRegStringToRegistry(HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" & strNewSDDL,"CentralProfile","")
   ret = WriteRegDwordToRegistry(HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" & strNewSDDL,"Flags",1)
   ret = WriteRegDwordToRegistry(HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" & strNewSDDL,"State",0)
End Function

At this point if the Domain User logs in they get redirected to the existing local users profile. Then if rollback is initiated they log on with the Local User account with the same profile. This is seamless to end users, both forward and backward.

On a side note the functions for writing to the registry are through WMI due to needing to write Binary values to the Registry

Function WriteRegBinaryToRegistry(Hive, strKeyPath, strValueName, ArrValues)
   strComputer = "."
   Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
               strComputer & "\root\default:StdRegProv")
   oReg.CreateKey Hive,strKeyPath
 
   oReg.SetBinaryValue Hive, strKeyPath, strValueName,ArrValues
End Function
 
Function WriteRegDwordToRegistry(Hive, strKeyPath, strValueName, Value)
   strComputer = "."
   Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
               strComputer & "\root\default:StdRegProv")
   oReg.CreateKey Hive,strKeyPath
 
   oReg.SetDwordValue Hive, strKeyPath, strValueName,Value
End Function
 
Function WriteRegStringToRegistry(Hive, strKeyPath, strValueName, Value)
   strComputer = "."
   Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
               strComputer & "\root\default:StdRegProv")
   oReg.CreateKey Hive,strKeyPath
 
   oReg.SetStringValue Hive, strKeyPath, strValueName,Value
End Function

Cheers, Chris.

Edit: DomainAccountProfileStaging.vbs has been uploaded as a complete file.

In this process I have come across an array of options in migrating accounts from a Local User account to Domain User account and transferring the profiles across to keep the user “look and feel” that they are accustomed to.

One problem: In this scenario it makes for a very manual rollback strategy, no matter how much scripting and automation is involved in the migration process. This boils down to Novells implementation of “Dynamic Local User” which effectively creates a Local User Account that is not really bound to a User Account in eDirectory for Authentication or mapping purposes (which you can see if you look at the account SIDs).

So, how can you Migrate a local profile to a Domain User account while still maintaining a seamless rollback option (without using Roaming Profiles… This is out of the question)? The solution I have worked on is what I am terming “pre-staging” or “seeding” the Domain User Profile.

1. Enumerate all Local Enabled Users (except for “Administrator”)
2. Get the SID for that User (and the SDDL/String SID)
3. Read the Profile Path for that User from Registry
4. Set an ACL on that folder for <Domain>\<UserName> (we have the UserName being replicated between eDirectory and Active Directory
5. Mount the existing users NTUser.dat into HKU\<UserName>
6. Set ACL on HKU\<UserName> and all subkeys for <Domain>\<UserName>
7. Set ACL on HKU\<LocalUserSID> and all subkeys for <Domain>\<UserName> (just in case the user is actually logged in)
8. Dismount HKU\<UserName>
9. Mount the User Class hive (UsrClass.dat) into HKU\<UserName>_Classes
10. Set ACL on HKU\<UserName>_Classes and all subkeys for <Domain>\<UserName>
11. Set ACL on HKU\<LocalUserSID>_Classes and all subkeys for <Domain>\<UserName> (just in case the user is actually logged in)
12. Dismount HKU\<UserName>_Classes
13. Read the ACL on the Profile Folder (set Earlier) for <Domain>\<UserName> to get the Domain User SID
14. Convert the Domain User SID to an SDDL/String SID
15. Pre-stage/Seed the Domain User Profile by creating a new Registry key in HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\<DomainUserSDDL>
16. Write in a few choice keys, the two most important being ProfileImagePath (String) and Sid (Binary). (The others I seeded were the DWords State and Flags, which were set to 0, and CentralProfile, which was an empty string).

Once the eDirectory user is no longer a member of a DLU enabled User Profile Package, they will be forced to log on through the Active Directory Domain (yes, we are still logging on through the Novell Client). The Profile used for the Domain User will be the same as that used by the Local user. The added benefit is that our rollback strategy becomes “Add user to a DLU enabled User Policy Package” and gets them to log back into their original profile. To safely secure a situation where there is a catastrophic failure of the profile (loss) a backup of the profile can also be done at the seeding stage (just check %userdomain% for equality with %computername% to see if they are logging on with a Local account or a Domain Account).

This has had only minor testing at this stage, but as no paths have changed and there appears to be no problem with the Domain User using the existing Profile I believe this is a reasonably comprehensive solution. This, I must stress, is not a recommended way to deal with migrating users, but it is a tricky little feature that can be abused as I have just demonstrated.

Code (or VBScript) will follow soon

Cheers, Chris.

The updated EmailImport Addon is now available for download from the GTD-PHP Trac wiki.

I have since moved on to the next most important feature on my personal list of Enhancements (yes, before I fix my known bug in the previous one). I want to be able to have a scheduled email sent every morning with a report on what Actions are overdue, what actions are due today and a rundown on the coming actions in the next week. Additionally this report should contain information on Project deadlines of note (overdue, due and coming). Another report I want is to be able to have the weekly review report emailed weekly to myself (at my work and home email addresses).

To achieve this I have been looking in to using php scripts to create cron jobs on the host system (or schtasks jobs if on a WAMP server for example). I have most of the information required to achieve this now. Once I have implemented a scheduled tasks manager from within GTD-PHP I will then build a custom report builder, which will then be enhanced by the emailer. In all, three addons become interlocked for completing this next feature.

If I didn’t have GTD-PHP (and therefore wasn’t following the GTD methodology) to manage all my projects I probably would not be in the position of even being capable of extending any project (I am busier now than ever, but I have more control over my time than ever before). By completing the Addons in my list I will have so much better control over my time and be in a perfect position to achieve some Zen in my life .

Just so you get some perspective, when I first set up GTD-PHP I added a lot of actions, and immediately closed them. Those statistics had me max at about 30 items in a week. Currently this week I have closed 75 items, and the week isn’t over. Most of these items have been self imposed actions for me to develop, research, repair, investigate, or whatever. I have given myself more work than at the start, and I have more time off now to blog about it (yet another action) than I have ever had previously.

I thoroughly encourage everybody to look into David Allens Getting Things Done. Worked wonders for me

Cheers, Chris.

GroupWise decides it wants to MIME Encode the email, which brings about my first problem. I need to account for multiple MIME Parts. After resolving this my next issue is that the corporate email gateway decides to append a massive disclaimer at the bottom of the email, bloating my item by at least 1000%. So I implemented the ability to cut out disclaimers based on a stripos call. I can have a list of different filters here and it will cut them all out.

After fixing this up and resolving the functional issues I logged this addon as a ticket in the GTD-PHP Trac system.

I have a few further updates to make, including having bulk uploads, custom tags and mail filters.

Cheers, Chris

Being the kind of person who likes to adapt, change, and implement better solutions, particularly for myself, I created a list of features I would like to see in my GTD-PHP installation. One of the first problems I had with the existing system was that it does not support importing Inbox items from a real mail Inbox.

I did some research and came across an existing mail importer, however this required directly piping mail from SMTP into the php script, which I could not do on my host (or would prefer not to do).

I decided to build my own POP3 Importer of Inbox items and decided to learn PHP and imap_open. I built it as an addon to GTD-PHP that could be called to do an import, however I am still going to extend it so that in the GTD-PHP header additional headers can be called (ones that identify if new items have been added to an Inbox so I can get feedback of when somebody mails into that account).

<?php
//Script to insert e-mails into GTD-PHP inbox.
//These are loaded from a pop3 account
//The account info and other options are configured in the config.php file
//$config['addons']['pop3inbox']=array(
//        "link"=>"addons/pop3inbox/import.php",
//        'title'=>"Import POP3 Mail", 'label'=>"Import Inbox",
//        'where'=>'item.php?type=i','when'=>'after',
//        'options'=>array("user"   => 'gtduser',
//                         "pass"   => 'gtdpass',
//                         "server" => 'mail.server.com',
//                         "port"   => '995',
//                         "type"   => '/pop3/ssl/novalidate-cert',
//                         "delete" => true)
//                         );
//Subject becomes title
//From & Body becomes description
$title='Import POP3 Inbox';
include_once 'header.php';
 
$msoptions = $addon['options'];
 
mysql_connect($config['host'],$config['user'],$config['pass']);
mysql_select_db($config['db']);
 
$imap = imap_open("{".$msoptions['server'].":".$msoptions['port'].$msoptions['type']."}INBOX", $msoptions['user'], $msoptions['pass']);
if (!$imap) {
   print_r(imap_errors());
} else {
  $num_msg = imap_num_msg($imap);
  include_once('gtdfuncs.php'); 
  echo "importing ".$num_msg." messages<br>";
  echo "<div class='success'>\n";
  for ($i = $num_msg; $i > 0; $i--)
  {
    // empty vars
    $from = "";
    $subject = "";
    $headers = "";
    $message = "";
 
    $header = imap_headerinfo($imap, $i, 80, 80);
 
    $from = $header->fromaddress;
    $subject = $header->fetchsubject;
    $date    = date('YmdHis', $header->udate);
 
    $message=imap_body($imap, $i);
    $message="From: ".$from."\n\n".$message;
 
    mysql_query("INSERT INTO `".$config['prefix']."items` ( `itemId` , `title` , `description` , `desiredOutcome` )VALUES (NULL , '$subject', '$message', NULL);");
  mysql_query("INSERT INTO `".$config['prefix']."itemstatus` (`itemId`, `dateCreated`, `lastModified`, `dateCompleted`) VALUES (NULL, '".date($config["datemask"])."', NOW(), NULL);");
    mysql_query("INSERT INTO `".$config['prefix']."itemattributes` ( `itemId` , `type` , `isSomeday` , `categoryId` , `contextId` , `timeframeId` , `deadline` , `repeat` , `suppress` , `suppressUntil` )VALUES (NULL , 'i', 'n', '0', '0', '0', NULL , '0', 'n', NULL);");
 
    echo "Imported '".stripslashes(escapeChars($subject)),"' into Inbox<br />\n";
    if ($msoptions['delete'])
      imap_delete($imap, $i);
  }
  echo "</div>";
  if ($msoptions['delete'])
    imap_expunge($imap);
  imap_close($imap);
}
include_once 'footer.php';
?>

Works pretty well at this point. Though I am having problems getting mail into that POP3 account. Will have to work further on that today

Cheers, Chris.

The Solutions I found include Check GroupWise Users for Password – Batch and Check GroupWise Users for Password – Exe, both of which made use of GWSend. Being an avid scripting aficionado myself I opted for the first, so I could make changes.

First step was to export all User Objects with NGW: Object ID into an Excel sheet using DSReport. Then export all GroupWise External Entities with NGW: Object ID to a different Excel Sheet. Finally I needed to export all GroupWise Resources, which do not have an NGW: Object ID, but their CN is effectively the NGW: Object ID for which we can log in and try to send emails. Upon completing this I compiled a single list of Allusers.csv which had the NGW: ObjectID/CN in the first column, and the DN for the Object Name and Location within the tree. This makes it far easier to track down the location of generic accounts (Something that none of the scripts account for).

So, my first run through the script ended in Fail. Apparently the above solutions are expecting Email Addresses without Spaces. So after fixing that up I run it again, and again hit a Fail. Apparently the above solutions fail to account for special characters (/ in this instance). So, I fix this up as well… My script runs, I get a report, then I realise that I have more results than original users. Apparently the above script also assumes that there is only 1 line in the result.txt file. So I modified the script to only print out a result once all lines of the result.txt file had been parsed, using a SET to determine if the “Error:” had been encountered or not (Error indicating that a Password is on the account, no Error indicating that there is No password).

So, now I run through and notice that the audit fails to log the full line of text, even though it is capable of actually running the audit against that account. Fortunately none of the accounts without passwords were affected by this, but I decided to fix this for future runs. To break down the issues I needed to fix into a list here is the summary:

1. We have spaces in our Email Account Names
2. We have /’s in our Email Account Names
3. We have &’s in our Email Account Names
4. We are trying to create a HTML file with the above special characters (specifically &)
5. & doesn’t tend to work too nicely in batch files when using an open Echo (tries to run everything after the & as a program
6. I wanted to be able to track back to objects (DN’s) as opposed to just the GroupWise Account Name

Spaces were easy to fix… When running the command against an account simply put the “account in quotes”. The next step is to handle the Email and DN objects as Strings within Quotes as well, but we don’t want to output the quotes, which means we need to handle them properly. Examine the following issue:

SET String=A String With Special Chars&Slashes/ In \ it^ OK
ECHO %String%

This will return “‘Slashes’ is not recognized as an internal or external command, operable program or batch file.” Also, if we try and escape each of the characters we run into issues too.

SET String=A String With Special Chars&Slashes/ In \ it^ OK
SET String=%String:^=^^%
SET String=%String:\=^\%
SET String=%String:/=^/%
SET String=%String:&=^&%
ECHO %String%

The Output ends up as “A String With Special Chars”. So, in order to fix this we need to handle the string within Quotes, and only output it at the end:

SET String="A String With Special Chars&Slashes/ In \ it^ OK"
SET String=%String:^=^^%
SET String=%String:\=^\%
SET String=%String:/=^/%
SET String=%String:&=^&%
ECHO %String:~1,-1%

Finally, our output is “A String With Special Chars&Slashes/ In \ it^ OK”, without the quotes. So the first part works now for my output to the Logs (although my logs are CSV so I tend to leave the quotes on just in case there is a lurking comma, but this does provide a pretty Output to the Console). Now we need to convert these for HTML output.

SET String=%String:^&=^&%
SET String=%String:<=^&lt;%
SET String=%String:>=^&gt;%
ECHO %String:~1,-1%

Just provides that little added extra safety net for an echo directly into a HTML log. I am annoyed that I didn’t manage to figure this out earlier as I had some scripts I went directly to VBScript for to avoid the & errors I was getting. I had no idea that it was my subsequent SET x=%x:a=b%, SET x=%x:c=d% calls on an unquoted string.

The one caveat I have found to this is fixing quote marks within a string. I have yet to find a way to strip them effectively without breaking the string/batch file in the process. The closest I have come will work in most situations, but requires a placeholder you have to be sure will never exist within your string:

SET String=Thi\s" is ^a &t"es/t
SET String="%String:"="%"
Set String=%String:^=^^%
SET String=%String:&=^&%
SET String=%String:/=^/%
SET String=%String:\=^\%
SET String=%String:"=^"%
ECHO %String:~1,-1%

One other note I’d like to add is that of Padding numbers. This is a fairly well known feature of WinBatch, but I found it useful for getting well aligned output for which record I was currently up to:

Set _Num=0
...
SET /A %_Num%=%_Num%+1
SET DispNum=     %_Num%
Echo %DispNum:~-4%

This pads the leading digits with spaces and specifies that I want a 4 character long string returned for the end of the string. (so ” 1″ in the first instance but in my case up to ” 900″ or “9091″).

Hope this adds a little food for thought.

Cheers, Chris.