SMS Fun

Finally got around to playing around with SMS yesterday. Didn't know how to create a package and distribute it so I took a quick peek at the Microsoft Technet Security Toolkit and it told be all I needed to know.

Slack Space 1613 This topic was started by ,


data/avatar/default/avatar39.webp

3867 Posts
Location -
Joined 2000-02-04
Finally got around to playing around with SMS yesterday. Didn't know how to create a package and distribute it so I took a quick peek at the Microsoft Technet Security Toolkit and it told be all I needed to know. Got Windows 2000 SP2 to start distributing that very same night. Came in the next morning and started looing over all the properties for the settings. Decided to make some changes (The hardware/software queries were running every single day! 8) 8) ). Then I decided to mess with the permissions because some genius never put the passwords in our Master Password List. DOH! Well I messed too much and stopped SMS from distributing. Finally figured out that I needed to do a site reset. Stuck in SMS 2.0 SP1 CD and it complained about NT4 Terminal Services so I removed Windows 2000 Terminal Services from the box and setup resumed. Unfortunately the Site Reset option was grayed out! Finally grew a brain after a couple of seconds and ran SP3 which provided the option to reset and found the problem...seems I switched it from integrated authentication to the other option which prevented SMS from communicating. So I switched it to Integrated. Rebooted and away it went! YAY!
 
 
Anyways, I need to apply permissions to the registries of about 600-700 machines. Now I could do it via logon script but I've got SMS here and I want to do it that way. This is an NT4 Domain with NT4/NT5 machines. Unsure what I need to do. I *think* that I need a CL tool that could apply permissions or do I need to create a local workstation policy and use the built-in tools in NT to apply the policy? (So Simply distribute a batch file with the policy to execute on each machine?)
Remeber this is an NT4 Domain so no Group Policy.
 
ANybody have any hints and tips? I could figure this stuff out myself but I'm extremely pressed for time and why waste it when I can get the good stuff here.

Participate on our website and join the conversation

You have already an account on our website? Use the link below to login.
Login
Create a new user account. Registration is free and takes only a few seconds.
Register
This topic is archived. New comments cannot be posted and votes cannot be cast.

Responses to this topic


data/avatar/default/avatar19.webp

3857 Posts
Location -
Joined 2000-03-29
I have been using SMS for the last couple of years, and in general I tend to do what you mention; I will simply deploy a batch file and run it as an admin (if needed) with domain admin credentials. You can also use WSH scripts to do more advanced functions assuming that you have a fairly current version of WSH on the workstations. If you have that kind of hardware, I am assuming that you have a decent test server/client base to play with and can practice the pushes on that.
 
You'll find it's really nice, but sometimes hangs on advertisements a bit for no apparent reason, so if you set one up and it never goes out, just recreate it and you should be fine. Also, another thing, if you plan on distributing an application (like SP2) from one site, bear in mind that it will still make a copy of it to distribute it anyway. This is kind of annoying, as the server is also my only CAP (small network) and I wind up with 2 copies of it. This behavior eats up disk space quickly when you are pushing apps the size of Office 2000.

data/avatar/default/avatar39.webp

3867 Posts
Location -
Joined 2000-02-04
OP
Nope, No Office pushes are going to happen here if I have a say in it. Heck, it was hard enough to convince myself to push out Service Packs! My main reason was that our WGM's need to be trained because they are pathetically ignorant of their jobs but also lazy.....they would never do the job anyway. So SMS will have to do it for them.
 
Now gotta read up on pushing out the latest 2000 SRP/NT4 SP6a/NT4 Security Rollup/and the IE Security Rollup that just came out. I will have the ultimate secure network! Muahahahahhahaha.
 
So far out of 125 machines patches with SP2 none have crashed so I'm happy. What worries me tho is the Post Sp6a security rollup which crashes Compaq computers with Smart Array controllers. When installed upon reboot the server crashes. So I think I'll limit SP6a/Post SP6a fix to workstations as it should be.

data/avatar/default/avatar19.webp

3857 Posts
Location -
Joined 2000-03-29
HA! You saw that too?!?!?! Damn, I installed it and it scrambled the $hit out of my partitions. My Proliant 3000R took it just fine, but the 5500R had a seizure and crapped out. Of course, this was rather handy since it was *only* the database server for our ERP system. Bastards...
 
As for limiting the pushes, our naming convention makes that very easy to control (PC1, Server6, etc) and anything else is easily nailed down by subversion (SP Level). If you want great sources on SMS info, check out www.myitforum.com and www.swynk.com, although the latter is fading away as far as new content goes. You can pick up pre-existing queries and scripts there (of course they took some of mine, so they must be desperate ) and some nice how-tos.
 
In any case, SMS is *extremely* powerful, and should not be used around open sources of heat or combustible substances.

data/avatar/default/avatar39.webp

3867 Posts
Location -
Joined 2000-02-04
OP
Yep, stoopid M$. When the Post SP6a first came out I tested it out on a Compaq Server, important but not importasnt enough that a little downtime wouldn't hurt. Well I installed it and it crashed the box. I ripped out my DOS NTFS disks and found which file I needed to replace to get it to work again. I was also able to replace the file in the Post SP6a update so that I could install the Post SP6a rollup on the rest of my Compaq servers without going through that mess again. Still it isn't toally Microsoft fault. This is Compaq we are talking about here.
 
Was rebuilding a Proliant 1600 the other day and what I love about these Compaq's is the software support. The System flash Utitlity and the SmartStart CD are EXCELLENT tools. Even though Dell is replacing Compaq in the server Arena I wish Dell would make their server Software packlages as well as Compaq does.

data/avatar/default/avatar19.webp

3857 Posts
Location -
Joined 2000-03-29
We have those 2 Compaqs that I mentioned, plus an old Prosignia 200 (getting retired to development work), a DL360R, and we just picked up a DL380R G2 and they have all worked rather well. I have worked with 3 Dell servers, and while they have been assembled nicely, I do like the software utilities and the general support I have received from Compaq enough to make me keep buying from them. Of course, with the HP buyout I am not sure how long this impression will last...
 


data/avatar/default/avatar39.webp

3867 Posts
Location -
Joined 2000-02-04
OP
Well, just pushed out a file/registry permissions program that removes the "Everyone" group and some other common security procedures to all workstation on-base! So far it's pushed out and installed to 30+ computers! Gonna do an ISS scan tommorow and see if the vulnerabilities have decreased.
 
Also I'm starting to get more and more into queries. Created a couple of queries for the different SP levels of NT and am starting to get into BIOS ver of the computers. Also made another query to look for FAT partitions on computers!
 
So much to do. So much to do. 8) 8)

data/avatar/default/avatar19.webp

3857 Posts
Location -
Joined 2000-03-29
I have a query that determines partition type and size. If you like, I can send some of my favorites out to you.

data/avatar/default/avatar39.webp

3867 Posts
Location -
Joined 2000-02-04
OP
Send,send,send,send!
 
Gonna review basic maintenance things I do to computers and see what's feasible to push out through SMS. Any help would be appreciated.
 
Gonna get these FAT drives off my network.

data/avatar/default/avatar19.webp

3857 Posts
Location -
Joined 2000-03-29
Here's one for "Free Space on Local Hard Drives"
 

Quote:select distinct SMS_R_System.Name, SMS_R_System.LastLogonUserName, SMS_G_System_LOGICAL_DISK.DeviceID, SMS_G_System_LOGICAL_DISK.FileSystem, SMS_G_System_LOGICAL_DISK.Size, SMS_G_System_LOGICAL_DISK.FreeSpace from SMS_R_System inner join SMS_G_System_LOGICAL_DISK on SMS_G_System_LOGICAL_DISK.ResourceID = SMS_R_System.ResourceId where SMS_G_System_LOGICAL_DISK.FileSystem != "CDFS" and SMS_G_System_LOGICAL_DISK.DeviceID < "H:" and SMS_G_System_LOGICAL_DISK.DeviceID >= "C:" order by SMS_R_System.Name
 
"Install Date and Last Boot Time" (Boot Time can be skewed depending on update cycle of clients to site DB):

Quote:select SMS_R_System.NetbiosName, SMS_R_System.LastLogonUserName, SMS_G_System_OPERATING_SYSTEM.Name, SMS_G_System_OPERATING_SYSTEM.LastBootUpTime, SMS_G_System_OPERATING_SYSTEM.InstallDate from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId order by SMS_R_System.NetbiosName

 
"Windows 2000 Workstations by Service Pack"

Quote:select SMS_R_System.Name, SMS_R_System.IPAddresses, SMS_G_System_OPERATING_SYSTEM.CSDVersion, SMS_R_System.OperatingSystemNameandVersion, SMS_R_System.LastLogonUserName, SMS_G_System_OPERATING_SYSTEM.Version from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.OperatingSystemNameandVersion like "Microsoft Windows NT Workstation 5.0" order by SMS_G_System_OPERATING_SYSTEM.CSDVersion

 
As you can tell, these can be modified pretty easily to suit your needs (like changing the last one to look for NT4 workstations, or look for servers rather than workstation, etc). I have some others, and will post them or send them out to you in a bit. Also, do you have the SMS Resource Kit? That has some pretty nifty utilities in it.

data/avatar/default/avatar39.webp

3867 Posts
Location -
Joined 2000-02-04
OP
Yep, our work has the Technet Plus subscription. Of course I'm the only one who uses it. Comes in handy. Thanks for the queries!

data/avatar/default/avatar39.webp

3867 Posts
Location -
Joined 2000-02-04
OP
Have you played around with the 2000 templates? Was thinking about pushing compatws.inf to all my 2000 machines via SMS but am unsure.
 
Compatws doesn't seem to have the Password policy/Auditing policies that the securews.inf seems to have. I'm guessing that I'm going to have to integrate the 2 somehow.