Monday, April 30, 2007

On Vacation

I will be back May 7.

Friday, April 27, 2007

SMS Client Actions

This has been posted may places but I will post it here too since they are all relative.
You can do many actions from the client side manually but you can also pass down the command from the SMS server.

What are some of these good for? Maybe you want to push an application down through some collections but the collection require a HW inventory to check the add/remove programs first. If your HW inventory is set for every 3 days it could then take 3 days to get that software fully installed. Now you can push a VBS file to force the HW inventory at the end of the package adv. If you have your collection updating say every 8 hours or less then it will install quicker.



Force the client to change the SMS cache size in MB
---------------------cachesize.vbs-------
Dim oUIResourceDim oCache
Set oUIResource = CreateObject("UIResource.UIResourceMgr")Set objCacheInfo = oUIResource.GetCacheInfo
'change to 2000MB
objCacheInfo.TotalSize = 2000
Set oUIResource = NothingSet objCacheInfo = Nothing
-------------------------------------------------------------------

Force the cleaning of SMS Cache
-------------------clean cache.vbs---------------------------------------------
on error resume next
dim oUIResManager
dim oCachedim oCacheElement
dim oCacheElements
set oUIResManager = createobject("UIResource.UIResourceMgr")
if oUIResManager is nothing then
wscript.quit
end if
set oCache=oUIResManager.GetCacheInfo()
if oCache is nothing then
set oUIResManager=nothing
wscript.quit
end if
set oCacheElements=oCache.GetCacheElements
for each oCacheElement in oCacheElements
oCache.DeleteCacheElement(oCacheElement.CacheElementID)
next
set oCacheElements=nothing
set oUIResManager=nothing
set oCache=nothing
wscript.quit
--------------------------------------



Software / Hardware Inventory
----------------------SW-HW.vbs---------------
On Error Resume Next
Dim oCPAppletMgr
Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr")
Dim oClientActions
Set oClientActions = oCPAppletMgr.GetClientActions()
Dim oClientAction
For Each oClientAction In oClientActions
If oClientAction.Name = "Software Inventory Collection Cycle" Then
oClientAction.PerformAction
End If
If oClientAction.Name = "Hardware Inventory Collection Cycle" Then
oClientAction.PerformAction
End If
Next
-----------------------------------

Policy Refres
----
On Error Resume Next
Dim oCPAppletMgr
Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr")
Dim oClientActions
Set oClientActions = oCPAppletMgr.GetClientActions()
Dim oClientAction
For Each oClientAction In oClientActions
If oClientAction.Name = "Discovery Data Collection Cycle" Then
oClientAction.PerformAction
End If
If oClientAction.Name = "Request & Evaluate Machine Policy" Then oClientAction.PerformAction
End If
Next
------

Wednesday, April 25, 2007

Fixing WMI Errors in your Repository

Microsoft has a nice Utility, WMIDiag v 2.0 releaseed 1/25/2007

http://www.microsoft.com/technet/scriptcenter/topics/help/wmidiag.mspx
http://www.microsoft.com/technet/scriptcenter/topics/help/wmi.mspx

This tool helps you run reports to determine erorrs with WMI on your machine.

"This document (developed in conjunction with the WMI team at Microsoft) is designed to help you troubleshoot problems with WMI scripts and the WMI service. Although the focus here is on scripting, the same troubleshooting information can be applied to other WMI consumers, such as Systems Management Server (SMS). Scenarios – and the error codes they produce – will often be the same regardless of whether you encounter problems using a script, the WMIC command line, a compiled application (such as SMS) that calls WMI, etc."

WMI fixes can still be used:

Windows XP
rundll32 wbemupgd, UpgradeRepository

Windows 2003
rundll32 wbemupgd, RepairWMISetup

A sample of the report is listed below:
DCOM Status: ................................ OK.
WMI registry setup: ............................ OK.
WMI Service has no dependents: ................. OK.
RPCSS service: ................................. OK (Already started).
WINMGMT service: ............................... OK (Already started).
--------------------------
WMI service DCOM setup: ........................ OK.
WMI components DCOM registrations: ............. OK.
WMI ProgID registrations: ...................... OK.
WMI provider DCOM registrations: ............... OK.
WMI provider CIM registrations: ................ OK.
WMI provider CLSIDs: ........................... OK.
WMI providers EXE/DLL availability: ............ OK.

If you are having problem with WMI connection or errors check this out. Running on your SMS server might just find a an error or security setting that you need to change.

Monday, April 23, 2007

The failure description was "11412"

Everyone has seen this error at least once or more. Sometimes it fixes itself other times you have figure out the problem. Granted there are other fixes but this works for me so think of it as another thing to try before banging your head on the wall.

The error you see is:

--------From logfile SmsWusHandler-----
The program for advertisement "SMS20002" failed ("SMS00032" - "Microsoft Updates Tool"). The failure description was "11412". User context: NT AUTHORITY\SYSTEM

The client refused to update to the new windows update client (V3)
-----------
First I try manually running the scan agent (SmsWusHandler.exe /Catalog:C:\WINDOWS\system32\VPCache\SMS00032\wsusscn2.cab /OutputXml:C:\WINDOWS\system32\VPCache\SMS00032\Results.xml)

If I receive the error about an invalid folder then I follow these steps...

First looking at the client data it says that it hasn't been patched in 1 month, but a manual scan will confirm that it is patching and that the only problem is the scan function and reporting it back to the SMS server.

Checking the vpcache folder reveled that the new cab file and new ITMU had downloaded but the windows update function didn't install correctly.

I went to my WUSPkgSource folder and manually run the WindowsUpdageAgent30-x86.exe to force the update on the client.

Once that was done I again ran the scan agent manually, this time it succeeded and all is now well with the client.

This error
Local WUS client version = 5.8.0.2469. Required version = 5.8.0.2678

Now shows as:

WUS client version detected on the machine = 5.8.0.2694.

A HW invetory returns the data to SMS and another client is backup and running.
----------
Once you have tested it on a machine and you have determined that this is the way to solve the problem you can easily send this down as an adv to the affected computers. This can be 100% automated. But remember this error can have 20 different solutions. Once you find the one that works lets hope it will solve it on all the systems.

Saturday, April 21, 2007

Microsoft VPN Client Setup

I don't want to focus on how to deploy application since there are number of sites out there but this is less of an install and more of setting up a client. We have laptop and remote users. At image time they are automatically placed in a unique collection. Once in the Microsoft VPN client is setup on their system. Here is how I do it. First I setup the connection manually, place a shortcut on your desktop. Then I pull out the connection information of the link.

------------------from rasphone.pbk --------vpn.txt-----------
[Corporate-VPN]
Encoding=1
Type=2
AutoLogon=0
UseRasCredentials=1
DialParamsUID=19215656
Guid=146A6DB03341F147B8F58280E0E2E729
BaseProtocol=1
VpnStrategy=2
ExcludedProtocols=0
LcpExtensions=1
----------------------------
Here just the beginning of the file, there is no need for me to place the whole file since your settings would be different. The Guid is random to your system.
This section is stored in a file called VPN.txt. Next I copy the link file to my package folder (corp-vpn.lnk)

Lastly I have this vbscript to run and complete the setup.
--------vpn.vbs-------------------
Dim objFSO, objFolder, objShell, objTextFile, objFile
Dim strFile, strText
strFileOrig = "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk"
strFileData = "vpn.txt"
set objFile = nothing
set objFolder = nothing
Const ForAppending = 8
Const ForReading = 1


Set objFSO= CreateObject("Scripting.FileSystemObject")
If not objFSO.FileExists(strFileOrig) Then
objFSO.CreateTextFile strFileOrig, False

end if

Set objOrigFile = objFSO.OpenTextFile(strFileorig, ForAppending, True)
Set objVpngFile = objFSO.OpenTextFile(strFileData, ForReading)

Do Until objVpngFile.AtEndOfStream
strCharacters = objVpngFile.Read(1)
objOrigFile.Write(strCharacters)
Loop
objOrigFile.Close

'copy link over
set Copyfile = objFSO.GetFile("corp-vpn.lnk")
Copyfile.copy ("C:\Documents and Settings\All Users\Desktop\")
-----------------------------

You have now setup a MS Vpn connection for the computer.
The only tricky part is the GUID and getting the lnk file to move and maintain its connection to your vpn connection.

This makes setting up a VPN for remote users easy at provision time, no more walking users through it and no more manually doing it.
I don't consider this application installation since there is not setup.exe or install.msi.

Use / modify as needed.

Wednesday, April 18, 2007

Collection Based on File needed (outlook.hol)

Sometimes you need to send a file to the computer multiple times. This is true with the Outlook.hol file. For those that are new to it, this file contains calendar entries for custom and standard information. Use this to file to say give the dates of company vacations or events. Of course users still need to import the functions in to Outlook. At the end of this I will show you how to add it in. To push this file you will need 1 collection with 2 queries.

Query 1: Old HOL file
---------------------
select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "OUTLOOK.HOL" and SMS_G_System_SoftwareFile.FileModifiedDate < "20070206 23:00:00.000" ------------------------- Query 2: No HOL file ------------------ select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Name not in (select distinct SMS_G_System_COMPUTER_SYSTEM.Name from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "OUTLOOK.HOL") -------------------- As you update the new HOL change the date on the OLD hold query so it will pull in computers that need the new file. As they inventory they will be removed from the query. In your package you will need to create a batch file that copies over the old one. -----copyHOL.bat----- copy /y Outlook.hol "C:\Program Files\Microsoft Office\OFFICE11\1033" -------------------- This will copy over the old file. Then simply send out a message to let people know it is up to date. Or if you update monthly or weekly let the users know. Use the popup I have listed earlier for a notice after it installs. Please note that if Outlook it open then it won't update. It is better to install when no user is logged in. To add to your outlook access the Tools Options >Calendar Options> Add Holidays

Select the new categories or click ok to update the ones you have. Please note that you need to turn on File Inventory and search for the outlook.hol file.

Tuesday, April 17, 2007

Remote Activation of SMS Agent on Client

In an SMS enviroment you must have the SMS Agent running on the client or you can't do anything. In a strickly user enviroment this doesn't matter since the user can't turn it off, but if you have a user that has admin rights to his/her machine then they have the power to turn you off. Finding them is simple enough, look at the computers that haven't sent in an inventory in quite a while, heart beat or other options. The problem is getting that service restarted.

Here is a vbscript that will turn the service back on for a number of computers.
-------------------------
Const SW_NORMAL = 1
'change comps to match the number of computers in your array
Dim Comps(1)
Comps(0)="computer1"
Comps(1)="Computer2"
for each strComputer in Comps
strCommand = "net start ccmexec"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = SW_NORMAL
Set objProcess = objWMIService.Get("Win32_Process")
intReturn = objProcess.Create (strCommand, Null, objConfig, intProcessID)
'remark lines if you don't want to see the success or failure of the program
If intReturn <> 0 Then
Wscript.Echo "Process could not be created." & _
vbNewLine & "Command line: " & strCommand & _
vbNewLine & "Return value: " & intReturn
Else
Wscript.Echo "Process created." & _
vbNewLine & "Command line: " & strCommand & _
vbNewLine & "Process ID: " & intProcessID End If
Next
----------------------------

This is simple but effective. You can run it manually or set it as a Scheduled Task on the server.
Remember you must have admin rights on the computer to run this, so we are talking about an local admin account or domain admin.

Thursday, April 12, 2007

DateAdd in Query/Collection

Many of you have already discovered some of the nice features and added benifits of upgrading to Sp 2 for SMS 2003. What you might not be aware of is that you can now use the DateAdd function in your query. The only down side is that you can only add it while editing the query manually. There is no WYSISYG method of adding or editing it. So once you add it you no longer have the editor.

Below is an example of how to use it to keep a computer in a collection for 2 days based on the MCNSDATA.ImageDate. I will describe this more later. Basically we are using a custom MIF file to add a computer to a new computer collection where it will stay until the end of the second day. It will then automatically remove itself. Expect to see more of the "New Computer" subject. I will have more about what we are doing with new computer provisioning.
------------------------------
select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_MCNSDATA on SMS_G_System_MCNSDATA.ResourceID = SMS_R_System.ResourceId where SMS_G_System_MCNSDATA.ImageDate >= DateAdd(dd,-2,GetDate())
---------------------------------

Tuesday, April 10, 2007

Remote Assistance, and other computer info

Sometimes a user says they need assistance. To remote into their machine you need the computer name, this can be hard to find or search for. It also is hard sometimes for the user to give it to you. This query will help you put all that information together. You don't necessarily need to use this for remote assistance. With the user data (current & Last logged on) as well as the computer information you also have full access to the right click menu within SMS. Ever notice when you right click on a query of computers you don't always see the Remote Assistance or the Event view option. For these to appear you need to have the Resource ID and Resource type. This is a simple query that can be expanded to include the IP address or some other useful information. I have this labeled as Remote Assistance because I use it for assistanting users remotely. Please feel free to call it and modify it as needed or desired.



Object type:System Resource
Collection Limiting: No limited
---------------------Remote Assistance -------------------------------
select SMS_R_System.LastLogonUserName, SMS_G_System_COMPUTER_SYSTEM.UserName, SMS_G_System_COMPUTER_SYSTEM.Name, SMS_R_System.ResourceId, SMS_R_System.ResourceType from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId order by SMS_R_System.LastLogonUserName
------------------------------------------------
--no SMS_G_System-- (This is better for most right click tools and passing commands from the MMS)

select SMS_R_System.LastLogonUserName, SMS_R_System.Name, SMS_R_System.ResourceId, SMS_R_System.ResourceType from SMS_R_System order by SMS_R_System.LastLogonUserName

Sunday, April 8, 2007

Custom Popup Message

HTA or HTML Applications can be used for many things, installers, configurations pages, popups and much more. Here I demonstrate how to use them as a custom popup that your network users will recognize not as a spyware/trojan but has a message from the admin group. The background can consist of your company logo and the Admin pictures or something distinguishable.
This particular HTA file can be pushed to the machine and displayed to let the user know that he is out of compliance for patches. This can be accomplished by many ways:
1. Create a collection where the scan package is 1 or 2 versions back from where it should be. Pushing this down can warn the users that many many patches are about to install or that he/she needs to bring their laptop in for repairs because the Windows update feature isn't working correctly
2. Create a collection where the latest patch number MS07-0xx is not installed 2 weeks after Patch Tuesday.


---------------Popup.hta ----------
<head> <title>Message from <network admin group></title> <body background = "background.jpg">
<HTA:APPLICATION APPLICATIONNAME="NetworkGroup" SCROLL="NO" SINGLEINSTANCE="yes" WINDOWSTATE="normal" SYSMENU="no">
</head>
<script language="VBScript">
Sub Window_Onload window.moveTo 200,200 window.resizeTo 820,600 end sub
Sub Closeme window.close() end sub
</script>
<body >
<table width="790" border=0> <tr bgcolor="Yellow" height="8"> <td align="center"> Caution Caution Caution Caution Caution Caution Caution Caution Caution Caution Caution
</td> </tr> <tr height="350"> <td valign="center" > <font size="5" color="#0000FF" >
This system is not fully patched and is therefore a risk to our office. You are receiving this notification because your system is out of compliance for the following reason: <;br><br> This system may be experiencing problems receiving the MS updates. Please restart your PC. More patches may install after the restart. <br></font> </td> </tr>
<TR valign="bottom"> <td align="center" height="80" > <input type="button" value="Close Window" name="Closeout" onClick="Closeme" style="background:#f3f; "> </td> </tr> <tr bgcolor="Yellow" height="8"> <td align="center"> Caution Caution Caution Caution Caution Caution Caution Caution Caution Caution Caution </td> </tr> </table>
</body>


---------------------------
The color is to get your attention, change as needed.

See this MSDN article for more information:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/hta/overview/htaoverview.asp

Friday, April 6, 2007

Collection of Computers based on Users

SMS has a nice feature that allows you to create a collection based on users. That way when a users logs into a computer SMS will then run an advertisement for whatever computer they are on. The problem is maybe you want to have a collection of computers not the users. The worst flaw this the collection query I have created below and using collections based on users is that if a person logs in to another machine, for whatever reason, SMS will find them and push software to them.
That in mind, here is a collection that will take any OU group of users and create a collection of computers.


---------------------------------------
select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.UserName in (select UniqueUserName from SMS_R_User where UserOUName = "xxxx /SECURITY USERS & GROUPS” )
--------------------------------------
Windows User account and group discovery must be enabled and run on your server to use this.

How does this work. It first grabs the list of users. Then matches them to the comptuers that SMS currently sees them logged into. To change this to Last Logged in user you need to change the SMS_G_System_Computer_System to SMS_R_System.LastLogonUserName for computers. This will give you last logged in user.

"Limit to Collection" for all your computer Workstations or further limit it to based on departments

If you don't know what group then you can create a query of just (select UniqueUserName from SMS_R_User where UserOUName = "") click values until you have the value you need and paste it into the larger query.

Wednesday, April 4, 2007

Collection where XYZ needs to install

Sometimes you want to create a collection that will find all the computers that don't have a particular software installed and push it to it. This is a good dynamic way to use SMS instead of direct computer addition.

Assuming you have Adobe Reader setup to install to all computers you can key this off of the Workstation collection or all computers if you wish. You notice that I use the "LIKE" condition instead of the "equals." I do this because you never know what version you might have. Look at Reader 7.09, even though you update your package with the latest reader you would need to change the collection. This way it will always look for the computers with no reader. This is assuming of course, that you push the updates to reader and not uninstal and reinstall the whole application each time.
--------------------------------
select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Name not in (select distinct SMS_G_System_COMPUTER_SYSTEM.Name from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "%Adobe Reader 8%")
--------------------------------

Monday, April 2, 2007

Admin Run As with IE 7

After you push down IE 7 through SMS you will find a curious problem. As a security fix Microsoft will no longer allow you launch Internet Explorer as an administrator then type in a c:\ and get to Explorer as an administraor. The new window will launch in the current user's security context. So to get around it you can use this reg file. Once installed it will allow you to right click on any folder or the start button and launch explorer as the system administrator or the Domain Admin.
Granted this can be done easily by just using the RunAs command but this is faster and a click away.

-----------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\OpenAsAdminUser0]
@="Open An Explorer Window as the Domain Admin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\OpenAsAdminUser0\command]
@="runas.exe /user:MyDomain\\administrator \"explorer.exe /SEPARATE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\OpenAsAdminUser1]
@="Open An Explorer Window as the Local Administrator"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\OpenAsAdminUser1\command]
@="runas.exe /user:Administrator \"explorer.exe /SEPARATE\""

-----------------------------

ODBC Connections

After installing software or during routine application changes, it becomes necessary to add ODBC Settings. Most users don't or won't add these changes. Below is an example of how to add an ODBC connection to System (all users). If you want to do it for a certain user use the Current_User key.

ODBC for Project 2002 Sample
------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\Project2002]
"Driver"="C:\\WINDOWS\\System32\\SQLSRV32.dll"
"Server"="Server-sql"
"LastUser"="LUser"
"Trusted_Connection"="Yes"

[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources]
"Project2002"="SQL Server"
---------------------------

This can also can be achived by setting it up manually and then exporting the Registry key.