DosFreak 2 Posted February 14, 2002 Finally got around to playing around with SMS yesterday. Didn't know how to create a package and distribute it so I took a quick peek at the Microsoft Technet Security Toolkit and it told be all I needed to know. Got Windows 2000 SP2 to start distributing that very same night. Came in the next morning and started looing over all the properties for the settings. Decided to make some changes (The hardware/software queries were running every single day! 8) 8) ). Then I decided to mess with the permissions because some genius never put the passwords in our Master Password List. DOH! Well I messed too much and stopped SMS from distributing. Finally figured out that I needed to do a site reset. Stuck in SMS 2.0 SP1 CD and it complained about NT4 Terminal Services so I removed Windows 2000 Terminal Services from the box and setup resumed. Unfortunately the Site Reset option was grayed out! Finally grew a brain after a couple of seconds and ran SP3 which provided the option to reset and found the problem...seems I switched it from integrated authentication to the other option which prevented SMS from communicating. So I switched it to Integrated. Rebooted and away it went! YAY! Anyways, I need to apply permissions to the registries of about 600-700 machines. Now I could do it via logon script but I've got SMS here and I want to do it that way. This is an NT4 Domain with NT4/NT5 machines. Unsure what I need to do. I *think* that I need a CL tool that could apply permissions or do I need to create a local workstation policy and use the built-in tools in NT to apply the policy? (So Simply distribute a batch file with the policy to execute on each machine?) Remeber this is an NT4 Domain so no Group Policy. ANybody have any hints and tips? I could figure this stuff out myself but I'm extremely pressed for time and why waste it when I can get the good stuff here. Share this post Link to post
clutch 1 Posted February 14, 2002 I have been using SMS for the last couple of years, and in general I tend to do what you mention; I will simply deploy a batch file and run it as an admin (if needed) with domain admin credentials. You can also use WSH scripts to do more advanced functions assuming that you have a fairly current version of WSH on the workstations. If you have that kind of hardware, I am assuming that you have a decent test server/client base to play with and can practice the pushes on that. You'll find it's really nice, but sometimes hangs on advertisements a bit for no apparent reason, so if you set one up and it never goes out, just recreate it and you should be fine. Also, another thing, if you plan on distributing an application (like SP2) from one site, bear in mind that it will still make a copy of it to distribute it anyway. This is kind of annoying, as the server is also my only CAP (small network) and I wind up with 2 copies of it. This behavior eats up disk space quickly when you are pushing apps the size of Office 2000. Share this post Link to post
DosFreak 2 Posted February 14, 2002 Nope, No Office pushes are going to happen here if I have a say in it. Heck, it was hard enough to convince myself to push out Service Packs! My main reason was that our WGM's need to be trained because they are pathetically ignorant of their jobs but also lazy.....they would never do the job anyway. So SMS will have to do it for them. Now gotta read up on pushing out the latest 2000 SRP/NT4 SP6a/NT4 Security Rollup/and the IE Security Rollup that just came out. I will have the ultimate secure network! Muahahahahhahaha. So far out of 125 machines patches with SP2 none have crashed so I'm happy. What worries me tho is the Post Sp6a security rollup which crashes Compaq computers with Smart Array controllers. When installed upon reboot the server crashes. So I think I'll limit SP6a/Post SP6a fix to workstations as it should be. Share this post Link to post
clutch 1 Posted February 14, 2002 HA! You saw that too?!?!?! Damn, I installed it and it scrambled the $hit out of my partitions. My Proliant 3000R took it just fine, but the 5500R had a seizure and crapped out. Of course, this was rather handy since it was *only* the database server for our ERP system. Bastards... As for limiting the pushes, our naming convention makes that very easy to control (PC1, Server6, etc) and anything else is easily nailed down by subversion (SP Level). If you want great sources on SMS info, check out www.myitforum.com and www.swynk.com, although the latter is fading away as far as new content goes. You can pick up pre-existing queries and scripts there (of course they took some of mine, so they must be desperate ) and some nice how-tos. In any case, SMS is *extremely* powerful, and should not be used around open sources of heat or combustible substances. Share this post Link to post
DosFreak 2 Posted February 14, 2002 Yep, stoopid M$. When the Post SP6a first came out I tested it out on a Compaq Server, important but not importasnt enough that a little downtime wouldn't hurt. Well I installed it and it crashed the box. I ripped out my DOS NTFS disks and found which file I needed to replace to get it to work again. I was also able to replace the file in the Post SP6a update so that I could install the Post SP6a rollup on the rest of my Compaq servers without going through that mess again. Still it isn't toally Microsoft fault. This is Compaq we are talking about here. Was rebuilding a Proliant 1600 the other day and what I love about these Compaq's is the software support. The System flash Utitlity and the SmartStart CD are EXCELLENT tools. Even though Dell is replacing Compaq in the server Arena I wish Dell would make their server Software packlages as well as Compaq does. Share this post Link to post
clutch 1 Posted February 14, 2002 We have those 2 Compaqs that I mentioned, plus an old Prosignia 200 (getting retired to development work), a DL360R, and we just picked up a DL380R G2 and they have all worked rather well. I have worked with 3 Dell servers, and while they have been assembled nicely, I do like the software utilities and the general support I have received from Compaq enough to make me keep buying from them. Of course, with the HP buyout I am not sure how long this impression will last... Share this post Link to post
DosFreak 2 Posted March 1, 2002 Well, just pushed out a file/registry permissions program that removes the "Everyone" group and some other common security procedures to all workstation on-base! So far it's pushed out and installed to 30+ computers! Gonna do an ISS scan tommorow and see if the vulnerabilities have decreased. Also I'm starting to get more and more into queries. Created a couple of queries for the different SP levels of NT and am starting to get into BIOS ver of the computers. Also made another query to look for FAT partitions on computers! So much to do. So much to do. 8) 8) Share this post Link to post
clutch 1 Posted March 1, 2002 I have a query that determines partition type and size. If you like, I can send some of my favorites out to you. Share this post Link to post
DosFreak 2 Posted March 1, 2002 Send,send,send,send! Gonna review basic maintenance things I do to computers and see what's feasible to push out through SMS. Any help would be appreciated. Gonna get these FAT drives off my network. Share this post Link to post
clutch 1 Posted March 1, 2002 Here's one for "Free Space on Local Hard Drives" Quote: select distinct SMS_R_System.Name, SMS_R_System.LastLogonUserName, SMS_G_System_LOGICAL_DISK.DeviceID, SMS_G_System_LOGICAL_DISK.FileSystem, SMS_G_System_LOGICAL_DISK.Size, SMS_G_System_LOGICAL_DISK.FreeSpace from SMS_R_System inner join SMS_G_System_LOGICAL_DISK on SMS_G_System_LOGICAL_DISK.ResourceID = SMS_R_System.ResourceId where SMS_G_System_LOGICAL_DISK.FileSystem != "CDFS" and SMS_G_System_LOGICAL_DISK.DeviceID < "H:" and SMS_G_System_LOGICAL_DISK.DeviceID >= "C:" order by SMS_R_System.Name "Install Date and Last Boot Time" (Boot Time can be skewed depending on update cycle of clients to site DB): Quote: select SMS_R_System.NetbiosName, SMS_R_System.LastLogonUserName, SMS_G_System_OPERATING_SYSTEM.Name, SMS_G_System_OPERATING_SYSTEM.LastBootUpTime, SMS_G_System_OPERATING_SYSTEM.InstallDate from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId order by SMS_R_System.NetbiosName "Windows 2000 Workstations by Service Pack" Quote: select SMS_R_System.Name, SMS_R_System.IPAddresses, SMS_G_System_OPERATING_SYSTEM.CSDVersion, SMS_R_System.OperatingSystemNameandVersion, SMS_R_System.LastLogonUserName, SMS_G_System_OPERATING_SYSTEM.Version from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.OperatingSystemNameandVersion like "Microsoft Windows NT Workstation 5.0" order by SMS_G_System_OPERATING_SYSTEM.CSDVersion As you can tell, these can be modified pretty easily to suit your needs (like changing the last one to look for NT4 workstations, or look for servers rather than workstation, etc). I have some others, and will post them or send them out to you in a bit. Also, do you have the SMS Resource Kit? That has some pretty nifty utilities in it. Share this post Link to post
DosFreak 2 Posted March 1, 2002 Yep, our work has the Technet Plus subscription. Of course I'm the only one who uses it. Comes in handy. Thanks for the queries! Share this post Link to post
DosFreak 2 Posted March 1, 2002 Have you played around with the 2000 templates? Was thinking about pushing compatws.inf to all my 2000 machines via SMS but am unsure. Compatws doesn't seem to have the Password policy/Auditing policies that the securews.inf seems to have. I'm guessing that I'm going to have to integrate the 2 somehow. Share this post Link to post