Archive for the 'SysAdmin' Category

Managing Local Admins using GPP

This is a brain dump of something Alan Burchill and Lilia Gutnik presented at TechEd Australia 2009. It covers managing local administrators on your workstations using the power of Group Policy Preferences.

  1. Create a new GPO if necessary, link it to the OU where it needs to be applied
  2. Edit the new GPO, and go to Computer Configuration, Preferences, Control Panel Settings, Local Users and Groups
    gpp_1
  3. Right-click in the pane on the right, and select New, Local Group
  4. Set up the “New Local Group” as per below. I’ve got it removing all existing users and groups so that we can define everything we need using Group Policy. You add variables like %computername% by pressing F3 whilst the cursor is in a text entry field.
     gpp_2
    I also included the Description text that is shown on the default local Administrators group; "Administrators have complete and unrestricted access to the computer/domain”
     
  5. You also need to add a member called “domainname\%ComputerName%-Admins”. This will allow you to define a group in AD that can be used to assign local admin rights to a particular machine.

    The good thing about this is that you only need to define groups for PCs that you wish to add local admins to, but all PCs that have the GPO applied are ready for this type of setup.
    gpp-3

  6. You can also go into the Common tab and select “Remove this item when it is no longer applied”
    gpp_4
  7. The last step is to create a Security Group in AD with the name {computername}-Admins. For example, if you have a computer named syd-60128, you create a group in AD called syd-60128-Admins. Adding users into that group will then make those users a local administrator for that particular PC.
  8. Do a “gpupdate” on the machine in question, and you should see the group’s membership change:
    gpp-5
  • Share/Bookmark

How to install a Windows-CA-Signed Certificate on VMWare Server 2.0x

  1. Make a backup of /etc/vmware/ssl/rui.crt and rui.key
  2. Generate a new server key: openssl genrsa -out rui.key 2048
  3. Generate a CSR: openssl req -new -key rui.key -out server.csr
  4. Go to the Certificate Services web interface on one of your DCs, and select “Request a Certificate”
    1. Select “advanced certificate request”
    2. Select “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
    3. Paste the CSR text into the “Saved Request” field, and select “Web Server”, and Submit the request
    4. Select “Base 64 encoded”, and “Download certificate”
  5. Transfer the certificate to the Linux box running VMWare Server
  6. Copy/rename the new certificate (certnew.cer) over rui.crt
  7. Do a “service vmware restart”
  8. Voila! A trusted certificate. No more web browser/VMWare Client messages about invalid certificates
  • Share/Bookmark

Mini Brain Dump: IP Subnet Change Considerations

I’ve been sitting on this post for a long time, and intended to write a more detailed description.

Here are some things you may need to consider (outside of the obvious like DHCP scopes, DNS server settings, Firewall settings & rules, etc) when changing the IP range your Windows network operates on:

  • TCP/IP Printer ports on print server
  • Printer/Copier IP/DNS/SMTP settings
  • Exchange allowed relay ranges
  • Any copy/print accounting devices attached to copiers
  • Monitoring host settings. Eg. Big Brother/Hobbit – Both client and server side, if not configured to use DNS in config files
  • Server iLO IP addresses

Some steps for changing domain controller IP addresses. Do these first before any other important servers:

  1. Change IP
  2. ipconfig /flushdns
  3. ipconfig /registerdns
  4. Either restart the Netlogon service, or run ‘nltest /dsregdns’
  5. Reboot

Disclaimer: This is by no means a complete list. Use these directions at your own risk.

  • Share/Bookmark

mRemote: A Remote Connections Manager

This tool should be a part of any self-respecting SysAdmin’s toolkit. mRemote is “a full-featured, open source, multi-tab remote connections manager”.

What does this mean?, you say. It means you’ve got one neat console where you can manage all your remote connections in one place. mRemote currently supports these protocols:

I haven’t set it up fully yet, but it will be really handy to have all my web-based admin areas and SSH to Linux boxes in there too.

mRemote

A side note, it uses the same rendering engine as Firefox, so some web-based admin pages may not display properly. This, however is no fault of mRemote or Firefox’s.

  • Share/Bookmark

Update: Deploying MYOB Premier via MSI

I recently figured out a better way to get MYOB Premier to deploy via MSI that the previous method that I posted. This method basically stops the MSI from checking if it’s been run by a bootstrapper (Setup.exe). I’ve tested this with Premier 11 and 12 and it deploys fine on XP and Vista.

Continue reading ‘Update: Deploying MYOB Premier via MSI’

  • Share/Bookmark