Home » 2008 » July

Monthly Archives: July 2008

Script: Shares Creation

July 30, 2008

Earlier I have post scripts to check network shares, if they are available over the network. This script is also working with shares, it verify if all shares on the machine is approved. Unfortunately we don´t have a central database with all configuration yet but in this example I have solved that with a file on the agent managed machine, including the names of all approved shares.

This script lists all shares, it compare them with share names in a local file. If the share is not in the local file a local event will be generated with the share name and the path to the shared folder. You can pick up that event with Ops Mgr or MOM and generate an alert.

Download there script here

ACS and Windows Server 2008

July 22, 2008 / 6 Comments on ACS and Windows Server 2008

Microsoft Audit Connection Service (ACS) is a new function in SCOM 2007 that can collect logs from machines. All logs are saved in a special Audit Collection database. You can then run reports against the database to see trends and do security analyzes. You can also for example trace a user activity over many systems.

Operations Manager (Ops Mgr) comes with a number of ACS reports but most of them only work with Windows Server 2003. I have customers who have upgrade to Windows Server 2008 and now experience that ACS no longer is working. That is due to ACS reports are looking for Windows Server 2003 events. For example the “Usage _-_User_Logon” report is looking for event ID 540 and 528, but in Windows Server 2008 the logon events are ID 4624 and 4648.

Another problem with ACS reports is that you can’t schedule them with relates dates, for example “last week first day” and “last week last day”.

To create a new report to show all logons (event ID 4624) for a domain user, last seven days, you can use the build in SQL Report Builder. These presuppose that you have ACS installed correct. You can read how to deploy ACS here.

  1. Start the Operations Manager 2007 console and navigate to the Reporting workspace, click “Design a new report”
  2. In “Microsoft Report Builder” select Audit as source of data for your report, select table report layout and click OK
  3. Click and add a title, for example “Contoso – Domain User Logon
  4. From “Fields” drag and drop “Logon Time” to the table
  5. From “Fields” drag and drop “Target User” to the table
  6. From “Fields” drag and drop “Event Machine” to the table
  7. From “Fields” drag and drop  “String 13” to the table
  8. From “Fields” drag and drop “String 02” to the table
  9. From “Fields” drag and drop “String 12” to the table
  10. From “Fields” drag and drop “String 03” to the table
  11. Click “Fields” in the tools menu
  12. In the “Filter Data” window, from “Fields” drag and drop “Event ID” to the “Dv Alls with” box. Select event ID 4624 in the drop down menu
  13. In the “Filter Data” window, from the “Fields” drag and drop “Logon Time” to the “Dv Alls with” box. Select “Logon Time on or after 7 days ago” and “Logon Time on or before today”
  14. In the “Filter Data” window, from the “Fields” drag and drop “Target Domain” to the “Dv Alls with” box. Select “Target Domain equals ”
  15. In the “Filter Data” window, from the “Fields” drag and drop “Target User” to the “Dv Alls with” box. Right-click “Target User” and select “Prompt”.If you don’t add a filter to this formula you will get a drop-down menu with all usernames to select from. (Right-click “Target User” and select “Edit As Formula”, double click “Parameter: Target User”, expand, add a simple filter, for example a empty filter)
  16. Rename the table cells, to for example
    Event Machine to “Computer (Logon on to)
    String13 = Auth Package
    String02 = Logon Type
    String12 = Logon Process
    String03 = Computer (Logon on from)
  17. When you are happy with your new report you can test run it with the “Run Report” button. You can then save the report to your report server on the File menu.

It can also be nice with an information box both what this report does and what all different logon types mean. Also insert a filter description to your report from the Insert menu.

Useful Links
Description of security events in Windows Vista and in Windows Server 2008, link
Audit Category: Logon/Logoff (Vista and Windows Server 2008), link

The Custom Configuration Report

July 13, 2008

Today when I was looking for a list of all my agent managed machines I found the Custom Configuration report, under generic reports. It is a fairly nice report in which you can add a group and then select report fields. For example if you add “Agent Managed Computer Group” as a group you can then choose to display hostname, IP Address and OU. It can also be used to generate a report over all logical disc with special attributes, you configure the forumla for the special attributes in a dynamic group.

Windows Server 2008 templates

July 13, 2008 / 1 Comment on Windows Server 2008 templates

This is a short step by step guide how to create a windows server 2008 template in SCVMM 2008.

  1. In the Virtual Machine workspace, create a new Windows Server 2008 virtual machine. Install Windows and configure as you like, for example run Windows Update. The templating process expects either a blank password or injects one, therfore you will need to edit your local security policy to allow “non complex passwords” (start Local Security Policy, Account Policies, Password must meet complexity requirements = FALSE). Make sure the machine is stopped.
  2. In the Library workspace, create a new software profile including for example product key, time zone, local administration password
  3. In the Library workspace, create a new hardware profile including suitable hardware. Read all about Windows Server 2008 systemrequirements here at Comparitech.
  4. In the Library workspace, navigate to templates, click New Template. Follow the wizard and select you new Windows Server 2008 machine as source. Select the hardware and software profiles that you created. The wizard will sysprep you machine and prepare it to be a template, it will also store the template in the library.

If you now want to use the new template, you go to the virtual machines workspace. Click “New Virtual Machine”, use a template, select your new Windows Server 2008 template, input a name, select your software and hardware profiles. Dont forgett to input a hostname under “Guest Operating System” (Input server name). After that, you have a new Windows Server 2008 machine built on your template machine, with your hardware profile and software profile applied.

Set Resolution State Automatic

July 1, 2008 / 1 Comment on Set Resolution State Automatic

This script will change the resolution state. You can schedule this script to run every X minute, it will then update the resolution state for new alerts. For example set all alerts including *SQL* to resolution state “Assigned to SQL team”. Fairly simple but it can save you some time, instead of changing the resolution state manually or re-configure all rules and monitors to generate alerts with another resolution state.

You can download the script here