O R G A N I C / F E R T I L I Z E R: 09.05

Sep 27, 2005

clearing the mom agent cache

i'm frequently asked how this is done. i thought i'd post it here for anyone that needs it. basically, you have to stop the mom service to do this properly. that's step one. delete the contents of the cache folder, then spin up the mom service. here's the contents of the batch file i use for this (watch for word wrap):

net stop mom

del "c:\documents and settings\all users\application data\microsoft\microsoft operations manager\%1\"*.* /s /q /f

net start mom


that's it.

Sep 22, 2005

mom agents and mcafee 8.0i

if you've been getting alerts in mom like this one:
The response processor failed to execute a response. The response returned the error message: The remote procedure call failed.
then you may be experiencing what other administrators have experienced when using mom agents w/ mcafee 8.0i. apparently the scriptscan module is causing this behavior to occur. there are two workarounds so far to handle this problem.
  1. the first one requires unregistering the scriptproxy.dll component of mcafee 8.0i. this probably isn't a very savory workaround. it gets the job done though. you can find references to this stuff at microsoft or at mcafee.
  2. the second one is to apply the patch 11 from mcafee. if you look through the readme, you'll see this item referenced in issue #2
A third-party application working with scripts can encounter an access violation error if it passes a NULL pointer to the Script Scan module (SCRIPTPROXY.DLL). The Script Scan module does not refer a NULL pointer. BZ235573 RESOLUTION: The Script Scan module can now refer NULL pointers.
so we can all go back to thanking mcafee for getting off their ass and posting a fix for this problem.
:)

UPDATE: evidently mcafee posted some additional information. here's the link.

Sep 16, 2005

looking for john hann's articles?

don't worry. i'll be posting his article contents here. of course, since i didn't write them, i'm not going to support them in any way, shape, or form. :) the only service i'm going to do for ol' john is correcting his grammar and spelling (less uppercase, of course). keep checking back.

sms security - script

okay... as a follow up to my previous post, this script will set the permissions of a defined group to have read/modify/delete rights over the subcollections of a parent collection. i used this to set the subcollections of the master collection i talked about in my previous post. anyway, watch out for potential word wrap. oh, btw, this blogger likes to strip spaces. going to have to make your own formatting. here it is. (watch for word wrap!)

 

' Author:  Marcus C. Oh
' Date:    9/16/2005
' Purpose: Grants a group Read/Modify/Delete instance level
'          permissions to the child collections of a specified
'          parent collection.
' Credit:  I shamelessly ripped the connection string from Michael
'          Schultz and other variable/string logic from him.  :)
'          Permissions logic from the SMS Scripting Guide
'
'          Added subroutine logic sent up by a blog reader.  Now the
'          script parses subcollections.



'--------------------------------------------------------------------
' Modify the following values
mySiteServer =   "<Site Server Name>"
mySiteCode =     "<Site Code>"

' Modify the "mySMSGroup" here to the group you're giving permissions
'   Follow the Domain\GroupName convention

' Modify the "myCollectionID" to the parent collection ID
mySMSGroup =     "<DomainName\GroupName>"
myCollectionID = "<Parent Collection ID>"
'--------------------------------------------------------------------

' Connects to WMI
Set myLocator = CreateObject("WbemScripting.SWbemLocator")
Set myService = myLocator.ConnectServer(mySiteServer, "root/sms/site_" & mySiteCode)

If Err.Number <> 0 Then
    Wscript.Echo "WBemServices connection failed!"
    Wscript.Quit
End If

ProcessCollection(myCollectionID)


' Subroutines ------------------------------------------------------

Sub ProcessCollection(collectionID)
    ' Query to pull the child collections of a given Collection ID
    myQuery = "select coll.* " &_
              "from SMS_Collection as coll join SMS_CollectToSubCollect as assoc " &_
              "on coll.CollectionID=assoc.subCollectionID where " &_
              "assoc.parentCollectionID=" & Chr(34) & myCollectionID & Chr(34)
    
    Set myCollections = myService.ExecQuery(myQuery)
    For Each oCollection In myCollections
        WScript.Echo VbCrLf & "Collection Name: " & oCollection.Name &_
        VbCrLf & "Collection ID  : " & oCollection.CollectionID
        AlreadySet = False
        Set myRights = myService.ExecQuery("Select * From SMS_UserInstancePermissionNames WHERE ObjectKey=1 AND InstanceKey='" & oCollection.CollectionID & "'")
        WScript.Echo "The following groups already have these permissions:" & vbCrLf
        For Each oRight in myRights
            WScript.Echo "  " & oRight.Username + "  " & oRight.PermissionName
            If oRight.Username = mySMSGroup Then AlreadySet = True
        Next
        If Not AlreadySet Then
            Set myNewRight = myService.Get("SMS_UserInstancePermissions").SpawnInstance_()
            myNewRight.UserName = mySMSGroup
            myNewRight.ObjectKey = 1 'Object type is set to Collections
            myNewRight.InstanceKey = oCollection.CollectionID
            myNewRight.InstancePermissions = 1+2+3 'Grant Read, Modify, Delete
            myNewRight.Put_
            WScript.Echo vbCrLF & "The " & mySMSGroup & " users now have access to " &_
                oCollection.Name & "."
            ProcessCollection(oCollection.CollectionID)
        End If
    Next
End Sub

Sep 15, 2005

managing sms collection security

back in february, i posted about how useless sms security was for the enterprise. well, i have to repeal that comment now. yesterday, i received some information on how to setup sms to narrow down focus to a specific collection. this means you can separate administration for workstations to your client staff, servers to your server staff, domain controllers for your domain admins, etc. with this method, now you can setup secondary site servers and have that layer of useful granularity so that your site admins could have control of their own clients. enough prattling. on to the good stuff... in this example, we're going to setup security for client administrators.
  1. setup a collection of clients that are all workstations.
  2. grant the following rights only to the group or user (suggest using groups) on the class level to collections:
    • advertise
    • create
    • delegate
  3. if the group/user has any other permissions to the class level, make sure that gets removed.
  4. grant the group/user instance level permissions to the collection that you created in the first step with the following rights:
    • modify
    • read
    • read resource
    • use remote tools (where wanted/applicable)

i'll explain a few things here. what you've done is removed class level read permissions to any collection in sms. now any time the user creates a new collection, any membership has to be validated against a specific collection - be it static (direct) or dynamic (query). in this case, they only have rights to read the information from the collection created in step 1.

you don't have to grant "modify" rights as stipulated in step 4. do this only if you want the user to be able to create subcollections under the collection created in step 1. modify does not mean that they can change the membership in the master collection. even the membership rules of this collection require validation against the master collection. since the master collection is itself... the most they could do is remove items but not add any more than what's defined initially. cool stuff. thanks eric.

update: since having posted this, i've modified step 4 to add "read resource" and "use remote tools". a new member of my team pointed out that without "read resource" rights, advanced query functions like subselect are not available.

here's the link for the script: http://marcusoh.blogspot.com/2005/09/sms-security-script.html

Sep 14, 2005

purging unwanted dsuw data

just thought i'd give some service to one of my cohorts that put up this useful post on cleaning patch files out of the dsuw directories for sms. click the link to access his blog.

Sep 13, 2005

dns aging and scavenging

if you're looking for my article, you can find it on myitforum.com - but... hey i just found it on searchwin2000.techtarget.com. pretty cool. click the link above...

useless mom trivia

question: in the Microsoft Windows Storage State Monitoring Script, there is a value called "MegaByteFreeSpaceThreshold". what is this value for? answer: absolutely nothing. in the script, the value for the parameter above gets set here:
THRESHOLD_MB = GetParam("MegaByteFreeSpaceThreshold")
here's the only section of the script that actually uses this value. notice that it's commented out:
'Commenting out Megabyte comparison alone 'If nMBFree < problemstate =" PROBLEMSTATE_RED" alertlevel =" ALERT_CRITICAL_ERROR">
by the way, i should mention that the mp guide actually states the MegaByteFreeSpaceThreshold as a valid parameter but don't discuss how it's valid to any detail. the lack of detail was what made me go snooping around. guess someone didn't do their homework.