The Raven Report

I was looking for the advanced network settings on a Windows 2008 Server I noticed that the menu bar (file, edit, view, Advanced, etc) is no longer visible by default.  Guess I hadn’t really needed it until this point.  How to get it back you ask? Well there are two ways.

1.       Just like in DOS days , press the ALT key and the bar will pop back up   

2.   Now say you are ALT key challenged and don’t want to use the ALT key. Click on Organize then Folder and Search Options  from there switch to Use Windows classic folders

Problem: 

PXE boot option will not map a drive (default F:) to the DS. All the configuration seems correct and the password has been verified.

Cause:

Altiris uses a LAN Manager Hash file to store  and user the password. Most security polices require the hashing of passwords to be disabled for the domain /server.  This is normally disabled via group policy in the Network security: Do not store LAN Manager hash value on next password change setting being enabled.

Solution:

In most environments it will not be possible to enable this setting across the domain due to security policies, but you can do it for local accounts if you move the server in question to an OU where a policy  over the Network security: Do not store LAN Manager hash value on next password change  to disabled. After the policy propagates reboot the server and create a new local account for PXE booting. You will now be able to use this account in your PXE Boot options just use workgroup as the domain.  Once the password is set you could re-enable the Network security: Do not store LAN Manager hash value on next password change   as this setting only applies during password changes.

If you ever wanted to remove a boot option from the PXE configuration utility that was flagged in use then you know it can be quite a pain figuring out what jobs are referencing the boot option and changing them. I have even had a couple occasions where the boot options were changed but I still couldn’t remove the old PXE option.

So do you just leave it and act like it doesn’t exist? No I say, to the database we must go.

First open the PXE Config utility select and choose edit on the Boot option in question.

Once the Edit Shared menu Option is open look at the File location and get the  number from the end of the path. 161 in our case

Now open SQL Query editor and point it to the Express DB

Run the following Query

select * from dbo.task
where bootoption_id = 161

This will return any jobs that reference the boot option. In this case Event_id 200735 references this boot option.  There is also a task_seq which is used if there are additional steps in a job that reference the boot option.

Now we need to run another query get  the Job info this si stored in the events table

where event_id = 2000735

From this query we can get the name of the job. Once we have the name we can go into the DS console and easily find the job and change the boot option. Once these are updated we can once again go into the PXE Config Utility and delete the offending Boot option.

I regularly have requests to allow a regular user of a system access the event viewer remotely.   What would seem like a trivial task ends up taking some thought as there is no built in way to easily allow this access on Windows 2003.

So say we want to allow Jim Bob user access to the System event log on our server.

First we need to open Regedit and browse out to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

Next well want to copy the CustomSD value into a text editor and add access for Jim Bob

Original Value:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)

Now since we only want to give him read access we’ll mirror the Interactive User’s (IU) default permissions.

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x1;;; S-1-5-3-3127463467463)

Just copy your newly minted SDDL string back into the CustomSD key and Jim Bob will be good to go.

Now say you just want to allow all Authenticated Users (AU) access you could just modify your SDDL as follows:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x1;;;AU)

Rinse and repeat for any additional event logs that you want to grant access to.

Windows 2008 is much easier as long as you are ok giving the user/group read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

Now if you want to customize things like give someone access to the Application and System log but not the security log you still have to dig into the SDDL.

The location on the SDDL has changed in Windows 2008 and is no longer set it via the CustomSD in the registry. You now have to use the wevtutil utility. Ok so let’s say Jim Bob now needs access to just the System event log on our Windows 2008 Server.

First we need to open the command prompt, and run the following command to dump out the SDDL for the System log out to a txt file.

wevtutil gl system > C:\temp\out.txt

Open the text file and copy out the channelAccess: entry

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) )

Now once again copy the Interactive User (IU) rights and add Jim Bob to them.

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) (A;;0x1;;; S-1-5-3-3127463467463))

Last we need to apply the new SDDL. Just replace the O:BAG:XXXX with your SDDL String you created in the previous step.

wevtutil sl System /ca:O:BAG:XXXX

There you have it.   As another option, you can remove access for the Event Log Readers group from event log in question by removing the (A;;0x1;;;S-1-5-32-573) entry from the respective log SDDL String.

One on the challenges with Windows 2008 is the fact that it requires a DVD drive to install the OS from standard media, and many of our servers only have a CD Drive.

To solve this problem we created a custom Win PE boot option called W2K8 Setup 64bit & W2K8 Setup 32bit and instead of starting Aclient we call Windows setup.

First off create a new PE boot option. Once at the Edit Configuration screen (step 9) choose New then Text file. Select the file and change the name to runagent.bat. Delete any text in the runagent.bat file so that file is blank.

Then select the startup.bat file and add the full path to your setup.exe file under the :UserActions line F:\images\w2k8\setup.exe in my case, save it then your ready to boot into setup without accessing the DS console.

Cody Posey to sale-767560960

Hi,

I wanna buy your item for my lover,reply if it's still available.

------------------------------------------------------------------------------------------

Noah to Cody

------------------------------------------------------------------------------------------

Cody Posey to me

Thanks for getting back to me, I am buying your item for my Interracial beloved lover, am  sending this item as a gift of love from me. Please consider your item sold and remove the add from site. because i will like to make a prompt payment for your item. I am located in Denver. will be adding an additional dollars doing payment for the shipping cost. Send me what i will use for the payment. Do you prefer pay pal or Money order? Send me your full name and address if you prefer money order for the payment to be made asap.

Thanks for your time

Good luck

-----------------------------------------------------------------------------------------

Noah to Cody  

I am intrigued by the prospect of your interracial beloved lover receiving and cherishing my item. I hope that they will love and hold my item as much as I have over these past years, and If you could send a picture of your lover,  I would even bless my item to their image. But I fear your lover will never have the enjoyment I had with the item, as I do not participate in modern currencies and will only except payment for my item in gold. 

Over time the helpdesk database becomes very laden with sludge.  In our case in over  3 years of heavy use the helpdesk has been in place we have accumulated over 1.5 million incidents, 8500  obsolete contacts and 150 worker queues.   With every passing month  my users noticed the system getting slower and slower.  

What to do with all this filth you ask, well purge it of course.  First off we needed to come up with a policy  and then figure out how to implement  the policy.  Today we'll work with the incidents database.

After sitting down with the users of the system we were able to determine that we only needed 6 months of tickets. 

Once the policy was determined the fun part began. Since there is no built in method inside of the Altiris Helpdesk system to purge  incidents,  we needed to  figure out how to do this from SQL.

A word of warning before we get started:  Make sure you have a good backup of your Altiris_Incidents database and preferably test this process thoroughly on a test box first.  Also everything here is provided as is,  these processes work in my environment, but may need  some tweaking to work in yours.

With that out of the way,  on to the fun stuff.

All the incidents are stored in the workitem table.  The records in  the worker table only have  one dependency  that we  have to worry about when purging the records.  That column is called link_parent_number and is used for linking child and parent incidents and the default value should be 0.  I found it easier to identify these  records after the purge, so well start with the purge then clean up the left over records.

First we'll start with creating a query to select all the records over 6 months old.  Open SQL management studio  select the Altiris_Incidents database and create a new query.

Select count(*)  

FROM workitem

WHERE modified_on < DATEADD(mm,6*-1,GETDATE());

This will give us the number of records in the workitem table that are older than 6 months.

Now remember that each workitem may have multiple records in the workitem  table.  If you want to see the total number of actual incidents change the query to:

Select count(distinct number)  

FROM workitem

WHERE modified_on < DATEADD(mm,6*-1,GETDATE());

You can modify this query as needed  until you get the  records you want to purge. Once we have our counts it's time to prepare to delete the  old incidents.   At this point, you'll want to once again verify  you have a good backup before preceding.

Now we'll need to  modify your select query into a delete query. This is  accomplished by changing the  select x,x,x to delete.  I always like to use a BEGIN TRANSACTION , COMMIT TRANSACTION/ROLLBACK TRANSACTION   to the start and end of my queries whenever I'm deleting our modifying tables as if something goes wrong I can quickly rollback without restoring the database.

BEGIN TRANSACTION

Delete FROM workitem

WHERE modified_on < DATEADD(mm,6*-1,GETDATE());

-- COMMIT TRANSACTION

-- ROLLBACK TRANSACTION

Once you run this you'll want to verify that the number  of rows affected matches the number of rows selected in your original query.  You can also go into the helpdesk and verify everything is working correctly and that you can create new tickets and view existing ones.

If your happy with the results go ahead and uncomment the COMMIT TRANSACTION and execute it. Otherwise uncomment the ROLLBACK TRANSACTION and  execute it, and everything will be back  like it never happened.

After the old incidents are purged we still need to  clean up any lingering parent/child linking issues. If you don't link tickets then you can skip this step, but I would recommend you do it anyway as it won't hurt.

As before we will start with a query, but this time will change it to an update instead of a delete.

We need to find all the incidents that reference incidents that are no longer in the database .

Select count( *)  from workitem

where link_parent_number != 0

and link_parent_number  not in (select distinct number from workitem)

This query will search the  workitem table, and return any record that  doesn't have a 0 (the default) in the link_parent_number column,  and the  incident number  referenced in the  link_parent_number is not in the workitem table.

Now we modify the this query into an update

BEGIN TRANSACTION

update workitem

set link_parent_number = 0

where link_parent_number != 0

and link_parent_number  not in (select distinct number from workitem)

-- COMMIT TRANSACTION

-- ROLLBACK TRANSACTION

Once you run the update you will need to remember to  un comment and execute either the commit or rollback  transaction.

There you have it you have successfully purged your helpdesk database of incidents over 6 months old.

There are a couple caveats with purging the workitem table like this. If you have a lot of activity  going on in a live environment and your deleting many records at once you may run into performance  or locking issues while your running the deletes.  Also copying and pasting SQL code or rewriting  something  I did 6 months ago but now forgot is not something I look forward to. To solve these problems we'll now put all our code together into a stored procedure.  I have attached the completed stored procedure  so you can follow along. Most of this code will already be familiar  to you as we covered it  above, but I'll go ahead and go through each section so you can understand what it's doing and customize it to your environment.

We start with the general CREATE /ALTER Procedure  statement. If you already have  the stored procedure in your database the you can change the CREATE below to an ALTER and your update the existing procedure.

set ANSI_NULLS ON

set QUOTED_IDENTIFIER ON

GO

CREATE PROCEDURE [dbo].[PurgeIncidentTable] AS

To make the Stored Procedure more versatile,  in this section of the code we declare  and set variables.  These variables allow your to define things that change  over time in one place and not have to go through all the code and manually updating  values whenever  requirements change.

SET NOCOUNT ON

DECLARE @rows int

DECLARE @batchsize int

DECLARE @monthstokeep INT

DECLARE @totalrows INT

DECLARE @delay VARCHAR(10)

SET @batchsize = 1000

SET @monthstokeep = 6

SET @delay = '00:00:02'

SET @totalrows = 0

SET @rows = 1

In the next section we  are translating our original delete query into  a loop  to resolve the  locking issue outlined above that could occur when purging 10000s of records is one  swoop. Instead we take all the rows to purge, and delete them in batch sizes of 1000 (SET @batchsize = 1000)  we then  add the number of rows we deleted in the loop itineration  to the @totalrows.  Then we wait the amount of time in @delay  ( in our case 2 seconds), then repeat through the  loop  again until all the rows  are purged. Once purged  we then print to the screen that the table was purged and how many rows were purged.

-- Delete obsolete Rows in the workitem table

WHILE (@rows > 0)

BEGIN

DELETE TOP (@batchsize)

FROM workitem WITH (PAGLOCK)

WHERE modified_on < DATEADD(mm,@monthstokeep*-1,GETDATE());

SELECT @rows = @@ROWCOUNT;

SET @totalrows = @totalrows + @rows;

WAITFOR DELAY @delay;

END

PRINT 'workitem table Purged..'

PRINT CAST(@totalrows AS VARCHAR(20)) + ' records purged'

In the next and final block we are pretty much just copying the Link parent number cleanup  update query we created  earlier.  We also add  a couple of PRINT lines to the statement  to echo out how many rows we update. With that the stored procedure is complete.

-- Fix any Obsolete parent links

update workitem

set link_parent_number = 0

where link_parent_number != 0

and link_parent_number  not in (select distinct number from workitem)

SELECT @rows = @@ROWCOUNT;

PRINT 'workitem obsolete linked parents fixed..'

PRINT CAST(@rows AS VARCHAR(20)) + ' records fixed'

To add the Stored procedure to your system open SQL  management studio, and in a new query window, execute the code. This will create the Store Procedure in your database.

Now all you have to do to purge your database  of records older than 6 months is run

EXEC  PurgeIncidentTable

You can also schedule this procedure to run via the SQL job scheduler  on a daily/weekly or whatever basis.

In conclusion,  I have been running the PrugeIncidentTable  procedure in production for over 6 months without issue.  Our Helpdesk's live online incident count has  reduced from over 1.5 million to around a running average of 330,000 active incidents, and the performance on the helpdesk is now stable and predictable.

PurgeIncidentTable.zip (700.00 bytes)

Last time we covered adding a collection picker to your reports. In case you missed it you can find it here. I know after reading the prior tip you were excited beyond belief, and happily adding collection pickers to all your reports.

That is until you realize that you have to select a collection each and every time you want to run the report, and most of the time you end up selecting the same collection. Fear not, because today I'll show you how to set the default collection .

First off we need to pick a collection. Let’s go with the All Computers collection. We'll need to browse to the collection in the NS console right-click it and choose properties:  

In the Properties window we'll need to copy the GUID of the collection and save it for later.

{eb3a1a12-e1c7-4431-b060-f0333e4e488c}

Now we'll need to create/clone a report that has a collection picker. We'll use the Add Remove Programs Example one we created last time. Unlike basic parameters, item picker parameters do not allow you to set a default value; we'll at least it not in the NS console. To accomplish our task we'll need to export the report to XML, then modify the XML and import it back into the NS.

Browse out to the report the NS console, right-click it, choose Export and save the xml file to your computer.

Now Open the file in notepad and look for the following lines:

<parameter type="custom" assemblyName="Altiris.NS.StandardItems, Version=6.0.6074.70, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f" typeName="Altiris.NS.StandardItems.Query.ItemPickerParameter" filterClass="a725fb57-09e1-4e9f-bb13-b4600094cf61" excludeDescendents="False" autoUpdateIfCollection="True" prompt="True" name="Collection" substituted="true">
<prompt><![CDATA[Collection]]></prompt>
</parameter>

Now we need to add a default tag with our GUID from earlier above the </parameter> in lines above:

<default><![CDATA[{EB3A1A12-E1C7-4431-B060-F0333E4E488C}]]></default>

So now your Collection parameter XML should be:

<parameter type="custom" assemblyName="Altiris.NS.StandardItems, Version=6.0.6074.70, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f" typeName="Altiris.NS.StandardItems.Query.ItemPickerParameter" filterClass="a725fb57-09e1-4e9f-bb13-b4600094cf61" excludeDescendents="False" autoUpdateIfCollection="True" prompt="True" name="Collection" substituted="true">
<prompt><![CDATA[Collection]]></prompt>
<default><![CDATA[{EB3A1A12-E1C7-4431-B060-F0333E4E488C}]]></default>
</parameter>

Go ahead and save the new XML file and import it back into the NS. Now when you run the report you will see All Computers is already selected.  

The Item picker is a great tool for extending the functionality of reports .  More specifically the collection picker allows you to dynamically manage the scope of your reports.   In this article we'll go over how to create and use a collection picker .

Let's begin by creating a new report:

Go ahead and click finish and then open the edit windows for the report.

Once in the Edit window we'll need to create a couple parameters,  so click the New Parameter button and create a basic  string parameter called  AppName be sure to click the box  for to Prompt User, type a friendly name and set the default value to %

Once the AppName parameter is created, we will need to create one more parameter for the collection picker. Give the new parameter the name of Collection,  change the parameter type to Item picker and the class filter to Collections

Ok,  now we need to put in our Query  so in the Level Query box click the edit pencil and paste the following SQL Query into the box  and click Finish

SELECT vc.Name as 'Computer Name',  arp.name as 'Application Name'

from vComputer  vc               

join Inv_AeX_OS_Add_Remove_Programs arp on arp._ResourceGuid = vc.Guid             

INNER JOIN dbo.CollectionMembership cm ON vc.Guid = cm.ResourceGuid        

where  cm.CollectionGuid ='%Collection%'  

AND arp.Name LIKE '%AppName%'  

Now lets  save the changes to the report by clicking apply and then run the report.

So now we have our fancy new report that can filter  based on  collections. You can easily add this functionality to all your  reports  by  copying the following lines into your existing reports and adding  a Collection item picker parameter.

INNER JOIN dbo.CollectionMembership cm ON vc.Guid = cm.ResourceGuid       

Where cm.CollectionGuid ='%Collection%'  

Do note that I am  joining  the collection table to the  vComputer   view  under the alas of vc  in this example so you will need to modify  the query  to fit your  report. 

For example we wanted to  add a collection picker to the following SQL Query

Select  *  from Inv_AeX_AC_Identification

We would need to modify the query as follows:

Select  *  from Inv_AeX_AC_Identification

INNER JOIN dbo.CollectionMembership cm ON Inv_AeX_AC_Identification

._ResourceGuid = cm.ResourceGuid      

Where cm.CollectionGuid ='%Collection%'  

And that is how it's done. I have attached the example report file for your viewing pleasure.

I have looked forward forward to Windows 2008 Remote App and Single Sign On (SSO) for some time now. Shortly after the Server 2008 release, I looked into publishing a few troublesome application to our XP SP2 workstations. Well this kind of worked. I could get the application down to the system, but dragging the application across two screens did not work and SSO did not work. At the time SP3 was in beta, so I gave it a try and with a few reg changes got SSO and dual monitors to work. Since this was beta, and it wasn’t worth pushing a beta sp to the desktops I shelved the project until SP3 released.

Along comes SP3,  and I install it on a test machine, push my Reg changes and… nothing.  Well not exactly nothing, the application  does open and it now works correctly on dual screens, but SSO doesn’t work at all. Now to the naked eye it appears Microsoft left the feature out, but after a little digging and a couple more Registry modifications SSO is working. Well mostly working SSO to a TS farm/alias from XP SP3  still doesn't work.

That little setback aside here how to do it:

First off to get SSO working, we need to enable credssp and add tspkg to the security packages on the client system.

1.       Start Regedit

2.       Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

                Double click the Security Packages and add tspkg to the bottom on the multi string value.

            

3.       Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

4.       Double click the SecurityProviders and add credssp.dll to the end of the string data.

            CREDSSP.reg (1.07 kb)

Next we need to enable pass-through Kerberos authentication to our Windows 2008 Terminal Server on our client systems. This is easily done with group policy with Vista, but we have to make registry changes in XP.

1.       Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation

2.       Create the following values:
"AllowDefaultCredentials"=dword:00000001
“ConcatenateDefaults_AllowDefault"=dword:00000001

3.       While still at: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation

4.       Create a new key  AllowDefaultCredentials

5.       Now inside your new key create as string values for each server you want to connect to.
"1"="TERMSRV/Server1.domain.com"
"2"="TERMSRV/Server2"
"3"="TERMSRV/*.domain.com"    (This will enable SSO to all

6.       Now reboot and you should be good to go

             AllowDefaultCredentials.reg (768.00 bytes)

You can also enable NTLM pass through. In general I’d recommend using Kerberos, besides it doesn’t appear that NTLM pass-through is working in XP SP3 when connecting to a TS, but if you insist here’s how:  

1.       Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation

2.       Create the following values:
"AllowDefCredentialsWhenNTLMOnly"=dword:00000001
"ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001

3.       While still at: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation

4.       Create a new key  AllowDefCredentialsWhenNTLMOnly

5.       Now inside your new key create as string values for each server you want to connect to.
"1"="TERMSRV/Server1.domain.com"
"2"="TERMSRV/Server2"
"3"="TERMSRV/Server3"

Now if everything goes well you should be able open a RDP connection, be it full remote desktop or Remote App without having to retype your login credentials. There is one big caveat with SSO and XP Sp3 though. As mentioned above, at this point SSO does not work from XP sp3 to a TS Farm or alias, even when you allow NTLM pass through.  You can easily get this working in Vista with server certificates, but no amount of banging your head against the keyboard will get it to work in XP.  I will post an update if I ever figure out how to get it working though.