adamb.com this

yet another worthless blog page

GPO for Group Memberships

May 27

Posted by Adam in Windows

Everywhere I go, They always want to know how to control group memberships.  So this is fairly well documented in a lot of places, but here it is again with the Adam twist on it.

Creating a Group Policy for controlling members of a group.

There are two scenarios to managing local groups on a computer.

  1. Allow the user to modify users of the local group and keep non managed users.  In this scenario, a local administrator can add and remove users from the group.  However, if they attempt to remove a user that is managed via the GPO, when the group policy is refreshed (about every 90 minutes), the user will be added back in.
  2. Allow the user to modify users of the local group and only allow managed users.  In this scenario, if a local administrator modified the membership of a restricted group, those changes will be removed and only the settings from the group policy will take effect.

 

  • In either scenario, you will want to disable the user configuration on the GPO
  • As a local administrator of a machine a user can add or remove an account from a group regardless of what the GPO says.  However, the GPO will enforce group membership

How to setup for scenario 1:

  1. Create a group policy
  2. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
  3. Right click in the setting window and choose newàgroup
  4. Enter the domain group that you want to add to the local group, for example silverspringnet\Domain Admins.
  5. You will then be prompted with the properties for that group
  6. In the lower box (this group is a member of) add the name of the local group you want the domain group to be a member of.  The group must already exist on the target machine.
  7. If you remove a group, that group will be removed, unless the user has manually added it.
  8. If the user removes the domain group from the local group, the next time the policy is updated, the group will be added back in.

How to setup for scenario 2:

  1. Create a group policy
  2. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
  3. Right click in the setting window and choose newàgroup
  4. Enter the name of the local group, for example Power Users. The group must already exist on the target machine.
  5. You will then be prompted with the properties for that group
  6. In the upper box (members of this group) add the name of the domain group you want to be a member of the local group.  
  7. If the user removes the domain group from the local group, the next time the policy is updated, the group will be added back in.
  8. If the user adds an account to that local group, next time the policy is updated the account they added will be removed, and the domain policy will be enforced.
  9. If you want to enforce no members of a group, leave the members of this group empty
No Comments

SCCM Installation (part 1)

May 25

Posted by Adam in SCCM

WOAH, Before you use this as a definitive guide, it isn’t done yet.  But I am posting it because a few people have asked me for it.

Oh yes, and almost all of this is indeed in the help chm file shipped with SCCM, so for the books, I did not re-invent the wheel here. Nor do I take into account a real infrastructure that too will be a later post.

Okay, installing SCCM is not that tricky, but getting the stuff under the hood is.  A little about my reference architecture.  Everything is running on Windows 2008 R2 x64, using the Hyper-V vhd supplied by Microsoft.  And the systems are fully patches up to May 9th 2010. I assume too that you know enough about Hyper-V on cloning VHD’s and general setup since you are reading this article.

First, here is what you are going to need to download to do all of this on Hyper-V R2 (notice all of this is just the EVAL version, and several gigs of downloads):

Installing SQL Server: I didn’t do much in terms of performance optimization since this is only a dev type thing.  But there are a few key things I did do.  In general I would do much more performance tweaking (logs and database on separate luns/disks, memory, CPU, etc…).  Now the recommendation is to install SQL Server on the same box as SCCM for performance reasons.  But realistically, that just is doable.  I don’t want to buy another SQL Server license, nor another backup licenses, and the storage.  So to put SQL on a separate server, you may want to use a second NIC for the communication to SQL on the SCM Server since there is A LOT of chatter.

  1. Add the computer account (or group, see the section below on adding the SCM servers to a group) as a local administrator of the server.
  2. During the setup, I did pretty much an out-of-box install, except I added the reporting service and the admin tools.
  3. Created a new instance called SCCM, rather than use the default SQLServer instance
  4. Installed SQL Server 2008 SP1 (SQLServer2008SP1-KB968369-x64-ENU)
  5. Installed SQL Server 2008 SP1 Hotfix 395059 (This is a free hot fix)
  6. Create a new database, by default, the SCCM will look for a DB called SMS_<Site-Name> Where <Site-Name> is the name of the site you are installing to, and is the same name as the site certificate.
  7. Make sure to enable the TCP/IP Protocols for the instance used on the SQL server via the SQL Server Configuration Manager

Preparing Active Directory

  1. Install the Schema Update for SCCM, this can be found in the path \smssetup\bin\i386\extadsch (it will always be in the i386 directory, regadless of OS)
  2. Create the System Management Container:
    1. Launch ADSI Edit as an admin
    2. and connector to the Domain name
    3. Right click on CN=System and create a a new object
    4. Choose new container and call it System Management
  3. Apply the correct permissions to the new container
    1. Create a Domain Group called Site Servers
    2. Add your SCM Site server(s) to that group (doing this will require a reboot of your site servers)
    3. Get the properties for the System Management Container you just created
      On the security tab, add that group Full control permissions.
    4. Click on the Advanced settings, select the group you just added, go to edit, and in the apply onto, select this object and all child objects�

Installing the certificates for Native Mode for SCCM

Then I needed to install and configure a certificate server and create the required certificates

  1. To do this I first had to add the Active Directory Certificate Services and the mandatory components.
  2. I also installed the web enrollment options as well
  3. And made it an Enterprise Certificate Server as a root CA
  4. I created a new private key
  5. I then used the default configurations for the rest of the settings.
  6. I originally had put here just follow the instructions from Microsoft, however, the help file doesn’t work and the on-line doesn’t work in the entirety either.  So here is how to create the two basic kinds of certs required for the IIS Servers and the native mode (non-internet based)
  7. Go to the following website and follow the instructions (Do NOT use the SMSV4.chm file for installing the certificates, it does not work., except where I say otherwise: http://technet.microsoft.com/en-us/library/cc872789.aspx
  8. When you have to name the “The name of this Site is…”  Make sure to use ALL caps for the site, and only 3 characters, you will need this when installing SCCM
  9. When you get to the section Installing the Site Server Signing Certificate on the Server That Will Run the Configuration Manager 2007 Site Server
    To retrieve and install the site server signing certificate Step 3 where it says certreq –accept sitesigning.cer, DON’T.  Instead open the certificates MMC
  10. Right click on Personal, and choose import
  11. Browse to the sitesigning.cer file your created after certreq -retrieve statement and import that.
  12. You will now have the certificate imported.

Preparing your SCM Server (this assumes you are doing this on Win2K8 R2)

  1. Add the following feature:
    1. Remote Differential Compression
  2. If you want to have WSUS on this server, install that role
  3. Make the configuration changes according to http://technet.microsoft.com/en-us/library/cc431377.aspx
  4. <Need to add other pre-reqs here>

Now then, you can run the setup pre-requisite checker to make sure you got everything ready

  1. I would recommend running the tool from the GUI by running the splash applet
  2. The SDK server is the server you are running SCCM’s first server from
  3. You may get an error about the WSUSSDK, that just means that WSUS is not available, you can ignore this for now.
  4. You will also get an error on SQL server, that is OK, since our SQL server is on a separate box.

Run Setup

  1. restart the splash.hta file
  2. Run the installer
  3. Install an SCCM Site Server
  4. READ the license, check the box and continue
  5. Do a Custom Install
  6. Since this is your first server, this will be the primary site
  7. Choose or Choose not to participate in the setup (I usually do in a lab environment)
  8. Choose the install
  9. Choosing a site code is important.  If you had SMS, do not use a site code, this could be a country, for example USA, a City, SJC, etc..
  10. Since we are doing a fresh install, choose native mode

Post Installation

  1. You may need to install the following patch: http://go.microsoft.com/fwlink/?LinkId=98350

Up Next, installing the roles.

No Comments

crown moulding

Apr 22

Posted by Adam in Uncategorized

I hate installing crown moulding. But over the years I have come up with a few little tricks to help me remember what way to cut things.

  1. Make a jig to hold the moulding so it doesn’t slip.
  2. Always place the materail updside-down on the saw
  3. To help remember what side to put the wood on, remember you never cut cross handed.  so the direction of the cut is the hand you cut with.  For example, to make a Left Hand inside cut, you would put the material on the right side so you could cut with your Left Hand.
  4. When doing an inside cut, the blade will face to the inside of the cut (the saw is pointing to the side of the cut, so in a Left Hand Cut, the blade would be swung to the right, since the wood would be on the right side, remember what I said above.
  5. When doing an outside cut, the blade is poiting to the outside of the wood (away from the wood).  So, if doing a left hand outside cut, it would be facing to the left, or the oppsoite side of the wood
  6. Don’t use a brush to paint, use a foam roller or brush
  7. Painter’s caulk is great
  8. Always measure at the celing, the distance at the floor is probably not the same
  9. get an angle divider, or bevel gauge and compas to split the angles.  The extra little bit of time doing this will make your seams much cleaner
  10. Use a blade for doing moulding.  Most general purpoase blades will just shred your moulding.
  11. MEASURE 3 TIMES CUT ONCE.
No Comments

Admin tools I could not live without

Apr 9

Posted by Adam in Windows

This is just a small list.  There are probably A LOT More that I use every daym but these are the ones that come to mind most often.

vbsedit: http://www.vbsedit.com
powergui http://www.powergui.org
Active Roles http://www.quest.com/powershell/
Putty http://www.putty.org//
Primal Forms (powershell GUI tool) http://www.primaltools.com/products/info.asp?p=PrimalForms
FileZilla http://filezilla-project.org/
WinImage http://www.winimage.com
Dameon Tools http://disc-tools.com/download/daemon
Wireshark http://www.wireshark.org/
Microsoft’s Account Lockout Tools http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e

No Comments

WDS 2008 R2

Mar 24

Posted by Adam in Windows, Windows Deployment Services

So, things have changed a little in WDS 2008R2, and much for the better. In this first post, I will talk a little bit about setting up a generic deployment. This assumes that you have already done the appropriate sysprep and have PXE running, I have an earlier post that talks a little on how to do this.

Note, that all of this assumes 64bit OS and boot image, if you are for whatever reason still running 32bit, just changed things to x86…

In the fist part, we need to create a stream-lined WindowPE boot image. The following bit of text is a simple cmd file that will do all the work for you. So copy and paste this into a notepad documents, save it as something.cmd. This assumes a few things:

  1. You are using 64bit architecture, if not, replace the amd64 with x86 or ia64 (yeah right)
  2. That your remoteinstall directory for WDS is the drive letter W
  3. There is a little problem with the lang.ini file that is created by default, so the script creates a new one.
  4. That your winPE drive letter is X (this is the default)
  5. It will create a boot image called boot in WDS

If you don’t like what I did, it’s a pretty straight forward thing, just change what you need.

 

@Echo Off
REM Create generic amd64 boot image

copype.cmd amd64 w:\winpe_amd64

dism /mount-wim /wimfile:w:\winpe_amd64\winpe.wim /index:1 /mountdir:W:\winpe_amd64\mount

dism /image:w:\winpe_amd64\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\winpe-wmi.cab"

dism /image:w:\winpe_amd64\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\winpe-setup.cab"

dism /image:w:\winpe_amd64\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\winpe-setup-client.cab"
dism /image:w:\winpe_amd64\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\WinPE-WDS-Tools.cab"

dism /image:W:\winpe_amd64\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\en-us\winpe-wmi_en-us.cab"

dism /image:W:\winpe_amd64\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\en-us\winpe-setup_en-us.cab"

dism /image:W:\winpe_amd64\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\en-us\winpe-setup-client_en-us.cab"

dism /image:W:\winpe_amd64\mount /Add-Package /PackagePath:"C:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\en-us\lp_en-us.cab"

dism /image:W:\winpe_amd64\mount /Add-Package /PackagePath:"C:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\en-us\WinPE-WDS-Tools_en-us.cab"

dism /image:W:\winpe_amd64\mount /Set-AllIntl:en-US

REM delete the bad lang.ini and replace it

del w:\winpe_amd64\mount\sources\lang.ini

echo. >w:\winpe_amd64\mount\sources\lang.ini

echo [Available UI Languages] >>w:\winpe_amd64\mount\sources\lang.ini

echo en-US=3 >>w:\winpe_amd64\mount\sources\lang.ini

echo. >>w:\winpe_amd64\mount\sources\lang.ini

echo [Fallback Languages] >>w:\winpe_amd64\mount\sources\lang.ini

echo en-US=en-us >>w:\winpe_amd64\mount\sources\lang.ini

REM Configure the Boot Interface, this is only needed if you want to dump into a command pronpt when done, helpful for testing.

echo [LaunchApp] >w:\winpe_amd64\mount\windows\system32\winpeshl.ini

echo AppPath=x:\setup.exe >>w:\winpe_amd64\mount\windows\system32\winpeshl.ini

echo [LaunchApps] >>w:\winpe_amd64\mount\windows\system32\winpeshl.ini

echo x:\Windows\System32\cmd.exe >>w:\winpe_amd64\mount\windows\system32\winpeshl.ini

REM dismount the boot.wim file

dism /unmount-wim /mountdir:w:\winpe_amd64\mount /commit

REM add the boot.wim to WDS

wdsutil /add-image /imagefile:w:\winpe_amd64\winpe.wim /imagetype:boot /Name:boot /description:"Generic x64 boot"


Now that we have a boot image, we need to make some xml files for installation. This is a light touch scenario where the user can pick the OS, however, they will all wipe the C drive and create a large singe partition

  1. Launch the Windows System Image Manager (SIM)
  2. Under file choose Select windows image. It is going to look for a CLG (Catalog) for the OS you want to deploy. These are typically located on the CD ROM at:
  3. Create a new answer file and call it WDSUnattend.xml, and place it in your RemoteInstall Directory. I usually create a sub folder for these files
  4. Now, we are going to add a few components from the windows image
  5. Go to Components\amd64_Microsoft-Windows-Setup_#_neutral\DiskConfiguration\Disk\CreatePartitions\CreateParition
  6. Right click on the CreateParition and choose “add Settings to Pass 1 windowsPE” (we will configure this in a moment)
  7. Go to Components\amd64_Microsoft-Windows-Setup_#_neutral\WindowsDeploymentServices\ImageSelection\InstallTo and add this to Pass 1
  8. Also Add Components\amd64_Microsoft-Windows-Setup_#_neutral\WindowsDeploymentServices\login\credentials

 

Now in the Answer file section, you will see under components everything listed you just added.

  1. Go to the login/credentials section. Add a user that has appropriate access to the image you want to install, generally, though not best practice, I create a generic local administrator account on that machine, though a guest would work as well
  2. Go to the login section and set the option to show window only on error
  3. Now, we are going to assume that you want the C partition to take up the entire disk space of disk 0, meaning only one partition, and any other partitions will be wiped out
  4. go to the install to section and under choose disk 0 partition 1 (now depending on OEM data, you may need to use partition 2)
  5. go the the section above it, and once again, set the willshowUI only on error
  6. go to the amd64_Microsoft-Windows-Setup_neutral, and make the following settings:

    EnableFirewall:false

    EnableNetwork:True

    LogPath:(leave blank)

    Restart:Restart

    UseConfigurationSet:(leave blank)

  7. Go to the next setting, DiskConfiguration

    set the willshowUI:Never

  8. Go to Disk and make the following settings

    Action:AddListItem

    DiskID:0

    willWipeDisk:True

 

So, what this is saying is that all commands under this setting will be set for Disk0 and that the disk will be wiped. Since we are wiping the disk, we do not need the component modifyParition

There are no Settings in the CreatePartitions (note that there is a CreateParitions and CreatePartition)

  1. go to the create partition and make the following settings

    Action:AddListItem

    Extend:True

    Order:1

    Size (leave blank)

    Type:Primary

 

Basically what all of this above says is that we want to wipe all data on disk 0, create a single partition and make it the primary

Now, the beauty of this is that any WIM image you choose, it will do this for all the images, you will see why in a second

So now we need to make an image specific answer file. This is just what I consider the bare minimum requirements. I will go into some of the other settings later.

the first thing is adding the product key, depending on which kind of key you need depends on what you need.

Add the following to Step 7 oobeSystem

  1. go to Microsoft-Windows-Setup\UserData\ProductKey\ right click on it and choose help, a help file will appear depending on your needs. Add the approriate item
  2. AddMicrosoft-Windows-Setup\UserData and add that key
  3. Add Microsoft-Windows-Shell-Setup\UserAccounts\LocalAccounts\LocalAccount\Password
  4. Add Microsoft-Windows-Shell-Setup\serAccounts\AdministratorPassword
  5. Add Microsoft-Windows-Shell-Setup\OOBE

 

Add the following to Step 1 windowsPE

  1. Microsoft-Windows-International-Core-WinPE | SetupUILanguage

 

All of the settings in the above are pretty straight forward

So now, we need to assign these xml files to steps in WDS

  1. right click on the WDS server, get the properties and go to the client tab
  2. Check the box to enable unattended installation
  3. under the x64 architecture browse the first XML file you created, in this case WDSUnattend.xml
  4. now go to install images and get the properties on the image that you created the second xml file for
  5. Check the box to allow image to install in unattended mode and select the second xml file

Once you have imported it, the file will be copied to the ImageName\Unattend\ImageUnattend.xml, so, if you want to make any changes, you need to edit that file and not the orignal, if you edit the orignal, you will need to re-import the file

One of the things I have learned is that I will always be changing the boot image until I get things just right, perhaps add a thing here, or change the background. So you can reaplace an image with the following command

wdsutil /replace-image /Image:”Boot” /ImageType:Boot /Architecture:x64 /ReplacementImage /imagefile:w:\winpe_amd64\winpe.wim

Another one is setting the client policy. Basically, all the settings you can do can be done through the command line.

wdsutil /set-server /wdsunattend /policy:enabled /file:w\wdsclientunatted\wdsx64unattend.xml /Architecture:x64

Tags:

No Comments

It’s cookie season (Girl Scout cookies that is)

Mar 9

Posted by Adam in Uncategorized

Every year at the same time, they come in packs, almost like Halloween; the Girl Scouts, selling their cookies. Now, I won’t buy cookies from parents who bring the list into the office and leave it on the table nor when they are just camped out in front of a store. But I will almost always buy them from a kid selling them, even if they come to the office and do it, and for sure when they come to the door. I just think that is part of growing up, understanding how to interact, sell, count money, and so on. I did it as a kid, and so did most kids in my generation and my kids will do it too. The problem is I know have a freezer full of cookies. I’ve been on a home-made ice-cream kick recently. So I wanted to do something with those cookies, so I have made my first batch of thin-mint ice cream. And here is the recipe.

  • ~1 cup thin mints. This is about ¾ of a package. Chop them up into small pieces, not crumbs, then eat the rest of the package
  • 2 large eggs
  • ¾ cup sugar
  • 2 cups heavy whipping cream
  • 1 cup milk 2 teaspoons peppermint extract
  • 5 drops green food coloring (optional)

     

  1. Chill the chopped thin mints in a covered bowl, either in the fridge of freezer.
  2. In a large bowl whisk the eggs until light and fluffy, about 2 minutes.
  3. SLOWLY add the sugar, whisking constantly, then once all the sugar has been added, whisk for another minute.
  4. Slowly add the cream and milk and continue whisking to incorporate it
  5. Add the peppermint extract and whisk a little more
  6. Pour the mixture slowly into your ice cream maker. I have a Cuisinart one that I love. When the mixture starts to stiffen up, add the cookies and the food coloring. Do not wait too long, it is better to do it earlier than later, but if you do it too early, the cookies will just fall apart. The idea is to keep the cookies intact. To help mix things up, take a small rubber spatula and stick it into the top of the bowl, this will help mix up the food coloring and the cookies a little more.

This should make a very hefty 1 Quart, let freeze over night if possible.

No Comments

My Home Server

Dec 9

Posted by Adam in Hyper-V, Windows

Yes, I built yet another home computer.  This time I wanted to build a white box that I could install Virtual Guests on.  One of which being Windows Home Server.  I also wanted some redundancy in the disk, AKA, RAID.  So basically I ended up with the following configuration for less than $500.  I already had 3 of the 4 disks I needed.  There is one RAID1 of two 120 GB disks for the win2k8 R2 Hyper-V and 2 500GB RAID1 for the data for Windows Home Server.

  1. Seagate Barracuda 7200.12 ST3500418AS 500GB 7200 RPM SATA 3.0Gb/s 3.5″ Internal Hard Drive -Bare Drive: $54.99
  2. SAMSUNG CD/DVD Burner Black SATA Model SH-S223C – OEM : $26.99
    2 @ G.SKILL 4GB (2 x 2GB) 240-Pin DDR2 SDRAM DDR2 800 (PC2 6400) Dual Channel Kit Desktop Memory Model F2-6400CL5D-4GBNT – Retail : $163.98 (81.99ea)
  3. GIGABYTE GA-MA785GM-US2H AM3/AM2+/AM2 AMD 785G HDMI Micro ATX AMD Motherboard – Retail : $79.99
  4. AMD Athlon II X2 240 Regor 2.8GHz Socket AM3 65W Dual-Core Processor Model ADX240OCGQBOX – Retail : $58.99
    Total Cost $384
    Tax: $31.76
    Shipping (Newegg): $5.14
    Total: $421.84
  5. Add to that my chassis: ~$72.00 (Cooler master RC-310-BKR2 with power supply).  I picked this chassis because of all the fans and the large amount of bays.
  6. And a trip to Frys for 2 more SATA cables and 2 120mm FANS, and 2 power adapters (harddrive to SATA2)

I configured the BIOS for RAID and enabled the Virtualization BIT in the BIOS.  Win2k8R2 picked up all of the neccesary drivers (supprisingly enough even the RAID adapter, something VMWare wont do).  I just had to install the network driver and a few other drivers.  So once I downloaded the drivers, I extracted the installers and installed them on the server by running the following command.  I used the Window7 x64 Drivers:

pnputil -i -a PathToINF\Driver.INF for the following paths

the key one to install was the Networkdriver, that was done by the following: pnputil -i -a <thumbdrive>\LAN\W7\WIN7\64\netrtx64.inf.  Once I did that and some of the other basic configurations of hyper-v via the handy little startup script, I was all set to go.

But, the idiots at Microsoft (I hate to use Idiots there, but this is the dumbest thing ever).  They made it so that the Remote Management tools for win2k8 only runs on Win7 Pro and above, not on Home, or any other versions.  This then makes it nearly impossible to manage hyper-v from a remote system.  I have no idea why they would do this.  This simply makes it easier for people to use ESX for home systems.  IDIOTS.  Anyways, my very good friends at Quest have a tool for free called powerGUI.  If you don’t have, it and you are in IT, get it from http://www.powergui.org.  You will then need to install the hyper-v.powerpack from http://www.powergui.org/entry!default.jspa?categoryID=290&externalID=2142 and follow the instructions (there are a lot of good powerpacks).  Once you have it all installed launch the powerGUI tool

  1. Expand the Hyper-V folder and select the Managed Hyper-V Servers
  2. In the actions pane click add server
  3. Add the IP address of the server
  4. And for the credentails add Administrator (or if you configured another local admin, use that)

You are all set to go.

Once again, I would like to thank Microsoft for forgetting all the IT people in the world that would like to build a VMserver at home, but cannot use Hyper-V because it cannot be managed with native tools, good going, idiots, what where you thinking?  DUHHHH….

No Comments

edit DNS Settings on ESX 3.5 host

Dec 2

Posted by Adam in VMWare

Moving DNS settings to USER.DOMAIN (you can do the same steps from the vic)

  1. Edit the file /etc/hosts, and change the dns settings to the appropriate domain
    1. serverIP               hostname.Domain.TLD hostname
    2. Edit the file /etc/resolv.conf
      1. nameserver IPAddress
      2. nameserver IPAddress
      3. search Domain.TLD
    3. edit the file /etc/sysconfig/network
    4. restart DNS to update the setting: service network restart
  2. Add the sever to Windows DNS
No Comments

Adding AD authentication to ESX 3.5

Dec 2

Posted by Adam in VMWare

Modifying esx hosts to authenticate against USERDOMAIN user accounts

  1. Logon as a root user
  2. Add a new user to the local machine, make it the same as the domain admin username (you can do all of the following steps from connecting to the physical host from the VIC).  Without getting into shell or perl scripting, automating this is pretty tricky

useradd username

  1. Set the password for the new user, do not make it the same as the domain password

                   passwd username and follow the prompts

  1. You can check if the user was properly configured by doing a tail of the file /etc/passwd

                    tail /etc/passwd

  1. If you want to disable a user account (you should never just delete an account), you can put a # in front of the user name by using vi

                     vi /etc/passwd

  1. if you know the username in question type ? and then the username and then type / to find the next instance
  2. go to the begging of the line containing the username and press i (as in insert)
  3. Put a # (hash mark) in front of the username
  4. Then type a : (semi-colon, a prompt will show at the bottom of the screen) and wq! (as in write,quite, force)
  5. You may want to give a user psudo access without giving out the root password to do this
    1. Create a new local group, for example esxadmins: /usr/sbin/groupadd esxadmins
    2. Add the group file and add the required users

                        i.   vi /etc/group

                        ii.      esxadmins:x:505:username1,username2,etc…

                         iii.      :wq! (vi command to save)

  1. Add the group to the sudoers file

                        i.   /usr/sbin/visudo

                         ii.      Go to some line and press o (letter o) to start a new line and enter (spaces do not matter):

                                     %esxadmins        ALL=(ALL)       ALL

  1. If it is a new host, you will need to add authentication to the host.  You can also run these commands to change the current settings

esxcfg-auth –enablead –addomain=DOMAIN.TLD –addc=DCNAME.DOMAIN.TLD

Tags:

No Comments

What the IT guys don’t want you to know

Oct 16

Posted by Adam in Windows

Did you know that by defualt, any user in an Active Directory Windows domain can see almost everything in the domain, and there isn’t much that can be done to prevent it. Yes, you can get more information for some things from your outlook address book. However, let’s say that you want to find the members of a group (that is not in Outlook), or you want to find a printer a little easier, or just about anything else. Here is what you need to do:

  1. Create a shortcut with the following command: %windir%\system32\rundll32.exe dsquery,OpenQueryWindow
  2. Launch the shortcut (you can change the name or the icon from the properties of the shortcut)
  3. Now then, in the Find, you can choose what you want to lookup
  4. then in the domain you can choose the entier directory, or a specific domain (depending on the size of your company, choosing entire directory can take some time)
  5. then fill in the blanks

It’s that simple.  Next time, getting the nitty gritty of things, using LDAP queries using an LDAP browser.

No Comments