DFS Replication and the SYSVOL Problems

I recently noticed on one of my domain controllers that there were some warnings in the Event Log for DFS Replication.  Well, actually what I noticed was that the SYSVOL folder on some of my DCs didn't have all of the GPO folders.  A bit of searching to find out what causes that led me to looking into the Distributed File Services Replications.  Which in turn led me to the event viewer.  Which led me to the Warning ID 2213 from DFSR.

The warning

Yay! I love warnings in the event viewer.  Wait, this is just a warning, "Hey, by the way I'm not replicating your crap any more and I'm not going to replicate it any more until you manually intervene."  Isn't that nice?  This looks like something that should be more than just a "warning."

The warning looks a bit scary, but it is very helpful in that it tells you exactly how to fix it.  Have to give Microsoft points for that one, put the fix right there in the warning.  I mean, you can copy and paste the command out of the warning message and into a command prompt and it'll fix itself.

Now, why exactly did I have to wade through the event viewer to find this warning and this command?  Where's Clippy when you need him?  A nice "Hey I noticed you didn't do a clean shutdown, would you like to re-enable your SYSVOL replication, it might be important?"  Why did they neglect that?  When I log back in it asks me why it was shut down improperly, why not take that same opportunity to ask about re-enabling the replication too?

But, I digress, back to fixing replication.  What you ask?  I'm not done yet?  I told you to cut and paste the command from the event description to fix it didn't I?

If you're like me, it didn't work.  I selected the text, I copied the text, I click on the Powershell prompt, waited it for it to open, I pasted the command and finally pressed enter.  Only to be greeted with an "Unexpected switch at this level" message.  Well that was nice and friendly.  I bet I need an elevated prompt.  So this time I right-clicked on the Powershell prompt and selected "Run as Administrator."  Surely that will fix it, nope, it doesn't, it gives you the same error message.  Ok, so I must have just not selected everything before I copied.  I tried it a few more times, nothing, same error message.

Now it's time to hit the internet.  I do some searching and I find this post over on howdoicomputer.com.  It looks like they ran into the same problem.  The trick is to use a regular command prompt, not a Powershell prompt.  How do you like that?  The answer's right in the event message, "from an elevated command prompt."  So Microsoft's be all end all Powershell prompt is useless when it comes to using this WMI command.

I also ran into the DFSR error 4012 that they mention in that same post over at howdoicomputer.com.

The error

By default, you've only got 60 days to correct the problem, after that it will not restart replication.  The quick fix for that is to change that default window to something greater than however many days you have been out of replication and then run the command again.  The command for increasing that default is:

wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=200

That 200 on the end is the number of days to increase it to (you can pick anything above how many days you're out)..  I'm a bit embarrassed to admit, that I had run substantially longer than the 60 day default (you can see in the screenshot) and had to increase it a lot to get it to run.  However, when I finished I did set it back its default of 60 days.

When it's all said and done you should get a Information event from ID 2214 that says the replication service successfully recovered.

It's fixed!

Troubleshooting Google Chromebook Policies

Using Google Apps to manage policies Chromebook Policies?  Want to know what settings are applied to a device (or user) and when they were last updated?  Then I have found your new best friend, chrome://policy/, just load it up and take a look at what policies are getting applied.

chome://policy

The key pieces of information that I used were the "Last fetched" and "Applies to".

Another handy item listed there is the "Reload policies" button.  It comes in real handy for testing how changes affect the operation of the system.

Now I just have to go check out what this looks like on a Windows system running Chrome.

ZCM and the "Open File - Security Warning"

I kept building my ZCM (ZENworks Configuration Management) bundles to launch executables off of network shares and I kept finding that my apps either wouldn't ever run or I'd get the "Open File - Security Warning" box complaining that the file might not be safe.  Here's what that error looks like if you're not sure if you're seeing the same thing.

What I figured out was that when the bundle just ran and ran forever but never actually did anything, it must have opened this window in the Dynamic User's context and not the current user's context.  So it was sitting there waiting for someone to click Run, but no one could see it to click on it.  I could however reliably launch one application and while it was running and not doing anything, I could launch another application and it would give me the above message and I could click Run and it would go about it's business and launch.  

I don't want to train my users to click Run on random security warning boxes so I don't like leaving it up to them to click on it.  Also, since it only comes up part of the time it's not even a reliable fix.  So I went looking around for a better way.

I came across Joe Parsons post here about this same error and SCCM.  He references a Microsoft Knowledge Base article about the error and a way to get around it when running VBscripts.  That doesn't make a direct application for us in ZCM, but it puts us on the right track. 

To fix the problem we just need to add the mentioned SEE_MASK_NOZONECHECKS variable to the environment on the computer.  Easiest way to do that is in the bundle itself, just modify the "Launch Action" to add the variable and set it equal to 1.  Here's what it looks like when you've got it in there.

A week, er..... a month with Cacti

This post started out as a "one week after" post but now it's been almost a month. You can see my posts about that here for part 1 and here for part 2. I thought I would share the lessons that I've learned now that it's been up a week month and I actually have some data in it to chart.

Just a little background in case you missed my earlier posts. My reason behind setting Cacti up was to be able to monitor the utilization of our WAN links.  We weren't having any problems with them, but we wanted a little visibility into how much traffic they were passing.

After Cacti was setup, I just had to add devices and charts in place.  That work flow for that went like this:
Console > Device > Add > insert Description, insert IP address, pick host template, enter SNMP info > Create
Rinse and repeat.  There wasn't much variety here, just plugging in IP's and making the connections.

That gets all the devices in there, now I just had to add some charts. That went like this:
Console > Device > pick a device > Create Graphs for this Host > check an Interface > select an Graph type > Create
I learned a couple of lessons on this step.  One was that I like the graph output of "In/Out Bits with Total Bandwidth".  I tried out some of the other ones, but I settled on that one.  The other lesson I learned was pick the actual interface, not the virtual interface on switches.  I initially picked the virtual interface and couldn't figure out where the traffic was.  Easy fix, just pick the physical interfaces instead.  That wasn't too bad, I just had to look up which ports connected to the WAN.

So total time invested is only a couple of hours.  The majority of that time was spent in 5-10 minutes at a time making adjustments and then checking back on it an hour or so later to see what it looked it.

I've also made a couple of tweaks to the graph templates to make it easy to scan down the list and compare traffic, but I'll cover those in another post, so stay tuned.

Google Play for Education has arrived!

Google Play for Education!

It has been a good two weeks for tablets in the education market.  First Apple announces the new managed distribution model for app deployment on iPads (here's my post about that) and now this announcement from Google.

Google Play for Education is a selection of apps, videos, and books all selected by teachers and grouped by age, course, and even common core standard.  This will be a great boon for educators all over.  Having an app store were at least some semblance of oversight has been given and it's not like the wild west where anything goes.

Google has even realized that schools aren't like individuals and with access to credit cards and that the majority of our purchases have to be made with POs.  Now we've got access to curated content and the ability to actually pay for it.

I can't wait to get a chance to actually get my hands on this and try it out.

Finally... Managed Distribution from Apple

I had heard rumors about a feature in iOS 7 that would allow for "pulling back" applications.  In essence, I can assign an app to an iPad when a student gets enrolled in a class and then I can pull the app back when they move on and no longer need the app.  This would greatly ease our app management pains.  As it stands now, we have to be extremely careful about application deployment.  It's very tedious to make sure the correct iTunes account is logged into an iPad when we use a VPP redemption code.  If we're not careful, we can "give away" our redemption codes since they follow the iTunes account and not the device.  But that's all going to change now.

Apple now has added a "managed distribution" mechanism to iOS to allow the apps to be assigned to devices, and most importantly, unassigned from devices.  How did this not make major headlines when it was unveiled?  This is a major problem that we have faced with iOS devices and on the surface it looks to be the feature that we've always wanted.  I haven't actually had a chance to play with it yet, and the only thing I've read about it comes from this this Apple support page.  But so far, wow!  It's about time.

I've just done a bit more searching about this feature and it looks like there are a couple of sites with a few more notes about it.  It looks like enterprise iOS picked it up first with this article.

One downside that I do see is that it doesn't work for books.  But that's OK. I'll happily take what I can get*.

*This isn't happily because Apple is great and wonderful and I'll love anything that comes from them.  It's happily because this problem has been a real pain and with the number of iPads showing up increasing every day we'll take anything to help make management easier.

Silently Installing Audacity and LAME

Want to silently install Audacity and LAME?

Audacity

I learned my lesson in my previous adventures looking for silent install switches for iPrint (here's that post Removing iPrint Printers).  This time I started out running audacity-win-2.0.5.exe /? to see if there are any silent install options.  What do you know, there are. The "/SILENT" option looks promising for my needs.  I think I'll go ahead and add the "/CLOSEAPPLICATIONS" option in there too just so I don't get any pesky, "You need to reboot" messages.  I'm also going to go ahead and add the "/LOG" option too.  In the past I always skipped logging stuff just to make things faster, but as of late I've decided that having some log data lying around can come in handy and is worth the extra second it takes.

LAME

Unfortunately, the learned lesson with the "/?" is lost on LAME.  It doesn't support that, guess I'll have to go search for this one.  A quick search doesn't return an obvious answer.  A lot of install guides but no body talking about installing silently.  I did find a link to a WPKG package that has some command line switches burried in their XML file listed on the site.  It looks like LAME will take similar options to Audacity.  I'm going to pick the "/VERYSILENT", "/NORESTART", and "/LOG" options for the LAME installation.

Wrapping It Up

For both of the installations I just let it put the files in their default locations.  In the past you had to point Audacity to the LAME files so I used to always install the LAME dll files inside the Audacity directory.  That way when the end users tried to Export as MP3 and the window popped up asking for the dll file it was right there ready to click on.  It looks like in this new version of Audacity automatically searches the default LAME install folder (C:\Program Files\LAME for Windows).  Which is nice, that's one less thing for the end user to have to do.

I went ahead and built separate ZENworks installers for both Audacity and LAME.  I don't know why I'd ever deploy them separately, but now I can if I need to.  I'm also building a Bundle Group to include both of those installers to make it easier to assign to users.

Blogging about blogging

This blog has been around for a couple of years.  That is if you count from the time of my first post until the time of my most recent post.  If you count time spent updating it, it's only been around for a few days at most.  My posting hasn't been very regular, but I'm trying to fix that.  I recently found Jennifer Dewalt's blog http://blog.jenniferdewalt.com/post/56319597560/im-learning-to-code-by-building-180-websites-in-180 where she built a website a day for 180 days.  If she can find the time to learn and the time build something every day surely I can find the time to come up with something to write about, the time to write it out and the time to post it here.  I keep saying time time time.  The time is a big deal, but the ideas to write about have been a big deal too.  I have found that constantly looking for things to write about has changed how I view the things that I do during the day.  Every little thing that I do I find myself asking, "How would I write about this?"  I used to start out thinking about "how interesting something was" or "how novel the idea was."  Then I'd get stuck with "am I going to sound like an idiot" writing about this?  But I've come to the conclusion that the answer to the last questions is "yes" but it doesn't really matter.  I'm writing because I'm want to write.  Hopefully, you'll find something of interest here and if nothing else maybe you'll get a good laugh out of me sounding like an idiot.  That gets part of the idea stumbling block out of the way, now to work on finding the time.  :)

Does this post make sense?  Sort of, but they say practice makes perfect, right?  So, I'm going to keep at it and see where it goes.

Troubles wth RSSOwl and Password Protected Feeds

I subscribe to a lot of feeds through RSSOwl.  I should probably shrink the list of feeds because it's a lot more information coming in, way more than I can keep up with anyway.  However, I haven't kicked anything off the list, I just prioritize what I read immediately and what I read when I get around to it.  Because a lot of my feeds keep unread articles attached to them I don't always find feed problems immediately.  What I do notice is going through the list and seeing that the dates on the articles haven't updated recently.  This is what happened to me the other day with one particular feed that I subscribe to.

The particular feed that wasn't work is password protected.  The dates on the articles weren't recent and the feed icon had a red X on it.  Clicking on the feed and viewing the properties just showed a status of "no password provided".  Ok, so I need to provide a password, how do I do that?

RSSOwl supports password protected feeds, you just have to add the username and password to the feed. Here's the box I'm looking for, but how do I get to it?

I remembered when I added this feed it popped up and asked me for my username and password (like it says it's supposed to do here http://tutorial.rssowl.org/tipstricks.html).  And I remember the last time I changed my password on the site that RSSOwl asked me again for my password then.  So it was smart enough to know when the stored password doesn't work, why isn't it asking me for my password now?

I tried restarting RSSOwl, no luck.  Restarting the computer, no luck.  Re-adding the feed, no luck.  Googling for authenticated feeds and RSSOwl, password protected feeds and RSSOwl, no luck and no luck.  Googling the error message (I don't know why I didn't start here), no obvious fix, but it started me down the path to a fix.

I wound up on the RSSOwl help page (here http://www.rssowl.org/help in case you're interested).  They make a reference to the passwords being managed from Tools > Preferences > Passwords.  I wasn't sure what I was looking for when I got there, but what I found was a blank list of sites.  It looked similar to this with the section in the middle that lists sites empty.

The only button that wasn't grayed out was the "Reset" button.  Figured since it wasn't working anyway, resetting it wouldn't hurt.  So I clicked on Reset, it gave me a "are you sure" message and I clicked to Ok that.  I went ahead and Ok'd the Password window to close it.  Then I right-clicked on the Feed and selected Update.  Bingo!  The password window popped right up this time.  I entered my username and password and it was back working, the lastest feed updates came streaming in.

My Aventures in Installing Cacti (Part 2)

This is a continuation of my first post about installing Cacti.  You can find that post here

Now that I've got this new Cacti server up and running we need to get some data collection setup so we can get some of those pretty graphs.

But first things first.  Out of the box this install is setup for DHCP.  We'll need to change that to a static IP address so it doesn't go jumping around on the network.  Now that I'm done with all the console part I'm going to remove the keyboard, mouse, and monitor and I don't want to lose it on the network somewhere.

Configuring an IP address from the console on a Ubuntu box is pretty easy.   There are just a couple of changes that need to be made to a configuration text file.  That file is /etc/network/interfaces.  To edit that use the command sudo nano /etc/network/interfaces  All we going to do there is change the iface eth0 inet dhcp line to iface eth0 inet static and then add a couple of lines for the actual static address.  It should look similar to this when you get finished:

auto eth0
iface eth0 inet static
address 10.0.0.100
netmask 255.255.255.0
gateway 10.0.0.1
dns-server 10.0.0.2

Once those changes have been made we'll need to restart the network interfaces to make those go into affect.  To restart the network interfaces just use sudo /etc/init.d/networking restart

Easy enough, right?  Now we know which IP address our server will be using and we wont be at the mercy of our DHCP server.

Now let's log back into our Cacti server and get to setting that up.  You'll need to use the IP address that you configure to access the server, but it will look something like http://10.0.0.100/cacti  You'll log in with the username/password that you setup earlier when you went through the initial setup wizard.

Once logged into Cacti you'll want to add a new device. Just click on Devices on the left side and then click on Add over on the right side.  You'll want to type in a description that's useful for you.  This is what's going to show up in all the lists in Cacti.  For the hostname I just entered the IP address of the switch I wanted to monitor.  For host template, it defaults to None, but if you'll go ahead and select something here it'll make things a little easier later on.  For me, I'm monitoring a Cisco 3750 switch so I just picked the "Generic SNMP-enabled Host" template.  I left the next bit on the defaults.  I did have to change the SNMP Community string.  I couldn't remember what it was setup to on the switch so I had to go look through my documentation, but after I found it entered that in there.  If you're not sure just stick with "public", a lot of equipment comes with that by default so it may work for you.  Once you've got that in there, just click Create and then you'll be done with that page.

Your page now should have "Save Successful" at the top.  Below that it shows my SNMP info from my switch.  Over on the right there's a link for "Create Graphs for this Host."  Go ahead and click on that.  There should be a new page up that lists all of the interfaces on available on your switch.  If you don't see that, go back to the last screen and check that your Host Template is set correctly (mine is Generic SNMP-enabled Host).  Now for my switches I see all of my interfaces that are configured on the switches, the ports, and the stacking ports too.  If you've configured descriptions on your ports those will show up too.  For my interests I wanted to see how much traffic was coming and going on the WAN. So I picked the interface  (by checking the box at the right-hand side of the column) that I have setup as the "outside" of my site. Then down at the bottom I picked the graph type out of the drop down box.  For right now I picked "In/Out Bits with Total Bandwidth".  At some point in the future I may change that to one of the bytes graphs but for now I just went with the bits graph.  Now just click on Create and you'll have created your first graph in Cacti.

Wait, you just clicked Create and it doesn't look like it did anything right?  Check up at the very top, you should see a line that says "Create graph: blah blah blah"  I guess you want to see your graph now, right?  Well, I don't want to disappoint you, so I'll tell you how to get there.  Click on Devices on the left, then click on the Device that you added earlier, and then click on Graph List (toward the top right).  Then just click on the graph that you just created.  Voilà!  It's blank, right?  Well that's because we just set it up and there's no data yet.  By default it polls every 5 minute, so it's going to take a while to get some data.  Go do something else for a little and then come back.  Really, watching it doesn't make it go any faster.  Trust me.  I've tried.

While you wait, you can go ahead and add the graph to the "Tree".  This way you can just use the "graphs" link at the top to see your.... empty... graphs.  Don't worry, the data will start coming in eventually.  But let's pass this time productively and add it to the Tree already.  Go back to your Graph List.  You can do that the same way I listed earlier, or here's a different way.  Just click on Graph Management on the right, pick your host out of the drop down and you graphs should be listed there.  Now we want to pick one (check the box on the right side), then select the "Place on Tree (Default: Tree)" action out of the bottom drop down list, and then click on Go.  It asks for a Destination Branch, but right now we've only got one, the [root], so we're going to use it and click on Continue.

Now if you click on graphs at the top it'll take you to the graphs view (obviously, right?).  It defaults to the Tree view, but I don't have a lot in there so I click on the icon at the top on the far right.  I know it's a graph, but it looks like mountains to me.  Since there are not many graphs setup yet, I like this view better.  Later on I'll probably prefer one of the other ones, but for now I'll just stick with this one.

Still waiting for the data to show up?  Let's get rid of the localhost device and graph that came with the installation.  I don't really have any interesting in watching the machine that's watching everything else, so I just deleted that device.  To do that go back to the console and then click on Devices.  Check the box by your localhost and then select the Delete action at the bottom and click Go.  Click to confirm that you want to get rid of it and then it'll be gone.

By now you might have a single column on your chart.  It's not much to look at right?  Well, tomorrow it will be more impressive.  In the mean time you'll have to find something else to do.  How about reading some of my other blog posts?  That sounds like fun, right?

My Aventures in Installing Cacti (Part 1)

I wanted to do some logging of network interface usage on some of our switches so I thought I'd setup Cacti and give it a try.  Why Cacti, well I had used it before (years ago) and thought I'd use it again.

Where did I start?  I thought a linux box my be the easiest way to get it going.  I also thought if I ran into problems help would be easier to find for a linux box than a Windows box also.  So I went to Ubuntu's website and grabbed the latest LTS Server iso (which happens to be 12.04 Precise Pangolin).  Then I picked up a flash drive and used unetbootin to load the iso on the drive.  Waited for it to finish, then pulled the drive out and attempted to boot the system from the flash drive.

I noticed the boot loader mentioned loading some BSD files which I thought was rather odd, but I went on working on something else and waited for it to finish booting up.  I checked the boot screen and it wasn't a Ubuntu install, it was an install screen for an appliance that I had recently updated using that same flash drive.  Apparently UNetbootin didn't overwrite the other installer correctly.  The plan was to just format the drive and try again.  It seems nothing goes as easily as it should.  Windows only recognizes the 4gb flash drive as a 28mb drive.  Great, the appliance installer must have partitioned the drive and Windows can't read it correctly.  So I downloaded BOOTICE from http://bbs.ipauly.com/ to clear off the partitions and reformat the drive.

After doing that I, I then re-ran UNetbootin and loaded the iso back on the drive.  Did I mention that nothing seems to go as easy as it should?  I picked USB Boot out of the boot menu on the computer and bam, an immediate "Boot Failed" message.  Great...what's wrong now?  The drive had been a little slow to write to, maybe it had finally died.  Being in the computer business it seems there's always another flash drive lying around so I looked until I found a 1gb drive.  That doesn't sound like much but it's plenty for a Ubuntu installation.

Third time's the charm, right?  Run through UNetbootin to copy the iso to the flash drive, then boot the computer, and finally... a Ubuntu install screen.

This is all pretty basic stuff on the Ubuntu install.  I went through and did pick to use the entire drive and install LVM.  When it asked about what applications to installed I picked the LAMP option (that's Linux Apache MySQL PHP in case you wondered).  There are more guides for installing Ubuntu than you can shake a stick at so I wont cover that here.

After a couple of false starts there I finally got Ubuntu installed on the machine.  To get Cacti installed is pretty easy.  I did a sudo apt-get install cacti and it installed cacti and all the dependencies and loaded right into the cacti setup.

Setting up cacti is pretty straight forward.  Here's a link install-and-configure-cacti-monitoring-tool-in-ubuntu-9-10-karmic-server.html to a guide that's complete with screenshots.  This one's pretty close to what I saw.  The only difference I found is that the RRDTools version that comes with Ubuntu 12.04 is 1.4 instead of version 1.3 as indicated in the guide.  Also, I haven't gotten around to chance the Spine setup as indicated towards the end of the guide and so far mine is working fine.

At this point you should have your Ubuntu server up and running with Cacti installed and also running.

Since it seems this post is getting a little long, I think I'll break it into two posts.  Check back in for the second part.

Here's the link for that second part.
 http://practicalschooltech.blogspot.com/2013/10/my-aventures-in-installing-cacti-part-2.html

Assigning local rights through Group policy and making it work

Trouble getting local computer rights assigned through group policy?  Have you read all the articles that tell you to edit the GPO and assign the rights?  Are they still not showing up on your Windows XP machines?  That's the trouble I ran into.

Before I get too far into this.  Let's go back to begining.  We made the switch to from a Novell network (Netware servers, eDirectory, ZDM, iPrint and the Novell Client) to Microsoft network (Active Directory).  After the switch we needed someway to manage the rights that local users have on machines.  In the past we used ZENworks and when users logged into their computers (through the Novell Client), Zen would pick that up and create a local user for that person with the rights that we assigned and then seamlessly log the user into that account.  When using AD it doesn't work the same.  The users just log into the machine, because the machine is in the domain they don't get (or need) a local account.  Which is great, except that some of the people need to be administrators or power users.  I know I could go through group policy and assign specific rights, but we don't need that granular of control.  Just making them members of the local groups is good enough.

Now there's a couple of ways to get them in as member of a group.  The original way to do it with group policy was to use the Restricted Groups feature.  Doing it that way makes sure people are members of the group and that only those people are members of the group.  That's nice for some environments, but we don't need that level of control.  For us, all we need is to add people to groups from time to time.  There's a new way to do just that.  Well, I say new way, it's been around for 5 or 6 years.  Its through an addon to group policy called Client Side Extensions.  Microsoft bought out a company that was doing some neat group policies addons and then MS built it into Windows and released it free of charge for all to use.  But that's a story for a different day, the point is that I wanted to assign the group membership using this part of gorup policies. So I started doing my homework.  I read a lot of posts about using them and I dug through the MS documentation.  It seemed pretty straight forward, I made my own policy, I assigned it, then I tested it, and then I found out it didn't work.

What had I missed?  I went back through and double-checked everything.  And then I tested agian.... nothing.  And I tested again and again.  It just wasn't working for me.  As it so often happens I got pulled away to work on something else, but I had left the policies applied.  They weren't working but didn't appear to breaking anything, so what did it matter, right?  A few days passed and then I got back to working on this problem again and guess what, it worked.  Right... it worked.  Go figure.  What had changed?  I went back through everything and the only thing that had changed was my test machine.  Lesson learned, if at first you don't succeed, try a different test machine.

Now that I knew the problem was in my machine, I just had to figure out what exactly it was.  Back to the internet to see what pieces made these group policy extensions tick.  What I found was two different Windows update that make it happen.

The first one is KB915865 which covers XMLLite.  If you're running XP 32-bit here's that download link so you don't have to go looking for it http://www.microsoft.com/en-us/download/details.aspx?id=13978

The second update is KB943729 which covers the actual new Group Policy preferences.  If you're running XP 32-bit here's that download link as well, http://www.microsoft.com/en-us/download/details.aspx?id=3628

Now that you know what you need to you need to figure out what systems need it right?  Well the fastest way for me to tell if the computer is working right is to use NET LOCALGROUP ADMINISTRATORS at a command prompt.  We've got a couple of accounts that we add as local admins on all machines, if the only thing listed on that command is a "MyDomain\Domain Admins" then I know I'm missing one of the updates listed above.

How about a quick way to tell which update you're missing?  Check the C:\WINDOWS\SYSTEM32 folder.  The XMLLite update installs an XMLLITE.DLL file, if it's there, then the update has been installed (of course it could be corrupt or not registered correctly).  To see if Group Policy preferences update has been installed look for a GPPREFCL.DLL file.

So one command to see if it's working.
NET LOCALGROUP ADMINISTRATORS

And two commands to figure out what you're missing.
DIR C:\WINDOWS\SYSTEM32\XMLLITE.DLL
DIR C:\WINDOWS\SYSTEM32\GPPREFCL.DLL

After you install the updates just let the machine reboot and log back in.  I have noticed that on the faster machines if you log back in after the reboot with a machine that's supposed to be getting admin rights that it doesn't get the rights on first log in.  If you check the group memberships it shows up rights but you don't have admin rights.  I think what's happening is that the system is logging the account in before the group policies have time to finish applying and since the memberships haven't assigned when the account logs in it doesn't get the rights.  By time you can check the memberships it shows up correctly, but you don't have the rights because the weren't there at login.  The fix is to just log out and back in and then you'll have the rights.  The irony is that it seems like some of our slower machines are not affected by this, I guess the policy has time to finish applying before it actually starts processing the login.  Who knows?  If all it takes is a log off and back on, I'll take it.

Changing XP Wallpaper from ZENworks

I mentioned in a previous post  ( Changing XP Background (Wallpaper) Images ) about creating a ZENworks application to reset the background or wallpaper image.  But I should have tested my app more thoroughly as it took a little tinkering to get it working.  ZENworks veterans probably wouldn't have made this mistake, but as I'm new to version 11 (made the jump from 7) I did make the mistake.

The most common bundle action that I use is one of the "Launch" actions, whether it's an executable or an installer.  Those actions by default run as the logged in user.  What I found out is that "Registry Edit" actions by default execute as the System account.  Which is probably great for making sure that the settings apply, but that's not so great when you're working in HKEY_CURRENT_USER.  But there's an easy fix for that.

In the action properties just go to the Advanced tab and look at the "Run Action As" section.  There's two ways to run it as System and as User.  When you pick System there's one optional setting "Apply HKEY_CURRENT_USER changes to the logged in user's hive instead of .DEFAULT".  The is fix is to check that box to make it work.  Easy enough, right?  I probably could have used the run as user option, but I tried checking the box worked and that fixed it, so I didn't try it with the user option set.  

Here's picture so you can check that we're both looking at the same thing.   

Removing iPrint Printers and Uninstalling Novell iPrint Silently

Over this past summer break we changed our servers from old Netware 6.5 servers and we moved to new Windows Server 2012.  At the same time we also changed from ZENworks Desktop Management 7 to ZENworks Configuration Managment 11.  Since we had over 3000 machines across 10 campuses to change over and there was only 3 of us we did our best to move as fast as we could.  In our haste we left the old Novell iPrint client (and iPrint printers) on the machines.  So now that school is back in full spring and we're almost caught up we need to tackle the issue of removing all of those old printers that are confusing the teachers.  We're not about to go back out and touch all of those machines again, that wouldn't be very practical.  So we're going to do our best to automate the process.

How best to go about removing all of those old printers?  You could write a script to loop through every printer on the local machine and check the name for ipp and remove it.  That sounds like it would be a lot of steps and as anyone that has spent any amount of time working in IT knows, the more steps the more places for something to break.  We wanted fast and simple.  So we dug a little further and found that we can simply uninstall the iPrint client and it removes the iPrint printers with it.  Keep in mind that this was an option for us because we are no longer going to be using iPrint.

So how best to uninstall the client?  You can download an "installer" from Novell that uninstalls the client.  Which is pretty cool.  If you haven't messed with iPrint much you should check out Novell download section for it.  They package several different installers to do a normal install, a silient install, a silent install with reboot, an uninstall.... (you get the picture, right?).  These are handy, because they don't require any command line switches, and you can just give users the file they need and tell them to run it.

But I didn't want to have to distribute another file just to uninstall a program.  So I dug through and found the uninstall command for iPrint.  It turns out that it's a pretty straight forward command:

C:\WINDOWS\system32\iprint\setupipp.exe /uninstall

Which almost works for us by itself, but it's not silent.  The user has to click that yes, they want to uninstall.  We don't like manual steps around here.  We don't like having to manually do something ourselves and sometimes simple things like clicking "Next" is a lot to ask of the users.

I did some Googling of the setupipp.exe command and really didn't come up with much.  So I made an educated guess and tried a "/silent" switch.  What do you know, it worked.  So if you want to silently uninstall iPrint you can use this command

C:\WINDOWS\system32\iprint\setupipp.exe /uninstall /silent

A quick check shows that after the uninstall finishes the setupipp.exe file gets removed too.  Which is great for us to use to automate.  I put together a ZENworks bundle that looks for C:\WINDOWS\system32\iprint\setupipp.exe as a requirement (which means iPrint is still on the machine) and then it it runs C:\WINDOWS\system32\iprint\setupipp.exe /uninstall /silent to remove it.  This works great, since it will only run on machines that have iPrint installed I can assign it to everyone without having to figure out first who needs it and who doesn't. And it doesn't require any work on the part of the user.  I'd call that a win win situation.

Didn't I mention above that I went Googling for the command line switches for setupipp and didn't have any luck?  Well I feel a bit dumb about it now.  I went back and tried the "/?" option on setupipp and what do you know, it tells you all of the command line options.  I guess there could still be something that's not documented, but it would have told me everything I would have needed to know.  The lesson here is don't go searching the internet for help with the program itself will help you out with only two extra characters, a / and a ?.

Just in case you want to know what those options are and you don't happen to have iPrint installed anywhere.  Here they are

---------------------------
iPrint Client Install
---------------------------
Installs or Uninstalls the Novell iPrint Client.

SETUPIPP [/S /R /U /L /?]

              The default (no options) runs the install wizard.

    /S      Install/uninstall the client silently.
    /R      Restart the workstation when the install/uninstall is complete.
    /U      Uninstall the client from your workstation.
    /?      Display this help screen.
    /L      Install for an LDAP compliant environment (only unique usernames).


Don't have ZENworks but want to do this remotely?  You can probably use PSEXEC to accomplish the same thing.  Luckily, since you're running it remotely you don't even have to worry about checking for setupipp first.  Just try to run it, PSEXEC will simply fail if iPrint isn't installed and the file isn't there.  Questions about using PSEXEC, check out my other post  http://practicalschooltech.blogspot.com/2013/10/remotely-installing-software_11.html

Changing XP Background (Wallpaper) Images

I know, I know, XP's old.  But this is Practical School Tech and education is a little behind the times.

We had a couple of student systems where the students had set a background image by right-clicking images in IE and setting them as the wallpaper.  Cute trick, right? But it's a pain to undo on a system where they don't get rights to the Display Properties page.  The setting is stored per user (that way everyone can have their own) which is great unless your using a generic account that several students share.  So how to undo it?

I though I'd start with the background image file.  I did some Googling and most places said look in here 
C:\Documents and Settings\Local Settings\Application Data\Microsoft\

But that isn't the right path, but it's close, it's really in
 C:\Documents and Settings\Application Data\Microsoft\Internet Explorer

Or if you want to find it in a batch file (or just typing by hand), try this path instead
%AppData%\Microsoft\Internet Explorer

After finding the file I wanted to know where it is set in the registry.  Since the image was set from inside IE file name was a very descriptive Internet Explorer Wallpaper.bmp.  That's fairly unique, so I just searched through the registry for that file name.  It turns out that path is stored in
HKEY_CURRENT_USER\Control Panel\Desktop

To clear the background image out I just blanked out the registry here.
HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper  

After a reboot (or log off and log back on) the background image will be cleared and you'll be back to the pleasant soft blue.  

But I didn't want to stop there.  I wanted the change to go into affect immediately. I new when I changed the background through the Display Properties that the change happened right then.  So that means there's a programmatic call somewhere that can make that happen.  I had figured it was probably in some windows dll file and since wallpapers had been around so long that it was probably in one of the more common ones.  A little more Googling and I came across this line

%SystemRoot%\System32\RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

I crossed my fingers and gave it a shot and what do you know, it actually worked.

So I take all this information and roll it into a ZENworks bundle that deletes the key and then calls the UpdatePerUserSystemParameters to make it go into affect immediately.

Remotely installing software

Ever need to install software remotely?  Why not just fire up Remote Desktop (or VNC) and connect and install right?  That works great if it's one machine you need to install software on.  What happens when you have a lab full of machines that you need to install software on?  You either need a lot of time or something that works faster than remotely installing it on each machine.  So what are you options?

A login script.  Great!  But you have to make the script, associate with only the machines (or specific user) that you need it on, and then wait for someone to log into the machine.  Or remote the machine and log in yourself, but that doesn't really help us speed up anything since we need to make sure it gets installed.

Group policy.  The old school way to push software requires an MSI.  The programs that I was installing didn't come packaged in an MSI, it was an EXE.  Yes, I know I could repackage it into an MSI, but I want to get this software installed quick and I don't want to spend the time on that.

Third party management software.  Yes, this a really good option.  The problem is that we're still working the bugs out of the management software right now and for an unknown reason it doesn't want to push these installers.  The long term way to push software is going to be to get this fixed.  But right now I'm going to postpone troubleshooting on the management software just so I can quickly get this software installed and get the end users back running.

So what did I finally go with?

PSEXEC.  Psexec is your friend.  It's one of the ps tools available from Microsoft (formerly Sysinternals). It's a free download and it will let you execute commands on remote systems.  So with a quick (and very dirty) batch file I was a able to loop through a list of computer names and install programs that I needed to get installed.

psexec /? will give you all the options, but for my purposes here's what I used:

psexec \\machinename -user someuser -p somepassword C:\installerfilename.exe /switches

And that's it.  Well, actually I used a FOR loop in a batch file to process through all the machine names, but the actual work was done with that command right there.

Here's a link for info on the FOR loop.  http://ss64.com/nt/for2.html   This post is starting to run so I'll save the notes about FOR loops for another post.

Back in the Game

Looks like I took a long break.  But I'm going to start back here and get back into writing again.  My goal is to write more than 1 post per week.  I would really like to be able to churn out one every day but I'm trying to set a more realistic goal.  Hopefully, that will mean some more helpful information is going to come pouring out onto this blog.  I guess the worst case is that it'll be a lot of random thoughts that come pouring out.