Admin Arsenal Blog

Setting your Component Services (dcomcnfg.exe) configuration can be more difficult than you think. DCOM (Distributed Component Object Model) can, by default, only be set locally at the workstation. This fact alone can make troubleshooting DCOM configurations a major pain. Enter DCOMACLS.EXE

If your Component Services security is not set properly you may find that remotely managing your computers is difficult, if not impossible.

DcomAcls.exe is a free utility that is bundled with Admin Arsenal. It allows you to view and set DCOM security locally OR on remote systems.

If you want to configure your Component Services locally then you can launch your Component Services manager via Administrative Tools (in the Control Panel) or by Start / Run / dcomcnfg.exe.  To view or configure remotely you will need to use DcomAcls.exe.

When you select the Properties for My Computer you can view the Default Properties tab. Under COM Security tab you will see the Access Permissions and the Launch and Activation Permissions for COM. Below is an example of the window which will show after pushing the Edit Limits... button under Access Permissions.

To set the permissions you want WITHOUT having to go to each computer and manually make these settings, you can use the DcomAcls.exe utility in the Program Files\Brisworks\Admin Arsenal directory.

The command below will give  Allow permissions for Remote Access to the user Domain\Tom.Waits on the computer named Raindog.

dcomacls.exe -allow AL.R:Domain\Tom.Waits -computer Raindog

The command below will change the Default Impersonation Level (on the Default Properties tab) to Impersonate on the computer named Raindog.

dcomacls -property impersonation=impersonate -computer Raindog

Check out the usage for DcomAcls.exe by running

dcomacls.exe /?

DcomAcls.exe does require that the Remote Registry service be running on target systems.

Microsoft has a lot of products. A lot. So, it's not surprising that occasionally they name things in a way that causes a bit of confusion. Here's an example that's bitten me lately.

Microsoft has a product called the .NET Framework. This product, which is used by application developers and needs to be installed on a computer in order to run those developers' applications, is actually a family of products. There have been 5 major releases:

• .NET Framework 1.0
• .NET Framework 1.1
• .NET Framework 2.0
• .NET Framework 3.0
• .NET Framework 3.5

This list looks to be very simple, but it's a bit deceiving. Version 3.0 and 3.5 are actually separate products from 1.0, 1.1, and 2.0. They've just confusingly been given the same name. Versions 3.0 and 3.5 include 2.0 as part of their install, so it shouldn't really be a problem... Except in at least one case.

When Microsoft released version 3.5 they released 2.0 Service Pack 1. Among other things, the service pack allowed applications written to only support version 2.0 to use some of the new features in 3.5 (with a bit of tweaking.) It gave developers a way to get some 3.5 goodness without requiring that all of their customers install the just released 3.5.

Admin Arsenal is one such product; it requires .NET Framework 2.0 SP 1 or later. This has led to some confusion with users who have only version 3.0 installed, which is anyone with a default installation of Windows Vista. It sounds like having .NET 3.0 would indeed be "or later" than 2.0 SP 1, but it isn't. The fix is to install .NET 2.0 with SP 1, which sounds like it's going backwards, but it's actually more like going sideways with slightly forward curve.

Keep this in mind if you have .NET applications that don't seem to behave correctly on .NET 3.0. Not all installers verify which Service Pack for .NET is installed, and some .NET applications (mainly in-house ones) will have no installer at all.

There is an old saying used by the US Navy submarine forces; "we hide with pride". Let's take this page from their playbook and apply it to our roles as system administrators. Reboot with pride.

In the past, rebooting a computer, especially a server, seemed to be almost an admission of guilt. For two decades Unix administrators have been needling their Windows counterparts over uptime and availability. Thanks to a better understanding to security (not to mention redundant servers) no longer are we willing to sacrifice security for bragging rights.

Windows systems need to be rebooted every month. Not because of leaking handles or poor performance, but for security. Microsoft releases patches monthly, therefore admins should be patching monthly. No excuses. Period. The end. Ummm, we've come to the part of the sentence that is meant to convey that there is no other alternative.

Unix administrators are slightly more free, key word being slightly. Depending upon the vendor, they usually patch quarterly. Gone are the days of the 365+ day server uptime. In fact, if you run into a Unix admin boasting of 365 day server uptime, feel free to thank him for letting you know that his systems are missing several quarterly security patch releases, therefore letting the free world know that his systems are vulnerable to whatever ailment(s) were patched in the past year. You can then remind him that he obviously failed his social engineering / corporate espionage training and that he should expect this serious vulnerability to be posted on your Myspace and Facebook pages in a matter of minutes (feel free to take a photo of his sweat-stained shirt with felt-tip ink blots on the pocket just to spice up your page a little).

Lest we be remiss, we don't want to exclude our application friends. Those wonderful Exchange, MS-SQL, Oracle, and < insert vendor specific application here > admins who also receive monthly/quarterly patches and should be scheduling their maintenance downtime right directly.

So be proud. You've earned it.

Many of the requests which are made to a Systems Administrator (apart from the usual hygiene stuff) are much easier to fulfill than you may realize.

It seems your boss would like to know how many computers are currently online. Let's not ask why she wants to know this as we've stopped wondering things like that long ago.

Boss: "How many computers do we have in the company?"

SysAdmin: "Oh, that's easy" you say and you simply look at the main window in Admin Arsenal and read off the count of computer objects that is displayed in the status bar at the bottom of the window. "We have 233 computers."

Boss: "How many of those computers are being used right now?"

SysAdmin: "Well, let me see how many are online."

You simply create a new Dynamic Collection and in the filter drop down field you select "Online Status" equals "Yes" and then close the Collection definition window. Selecting the new Collection from the main window now shows only machines that are online.

SysAdmin: "It looks like 191 computers are currently online."

The online / offline status is determined by the Admin Arsenal Heartbeat feature. To determine the online status of remote machines the Admin Arsenal console will periodically (as defined in your Preferences window) send a ping (along with a few other minor WMI queries) to all computers in your environment. In order for machines to show the correct online/offline status, each machine needs to be able to respond to ICMP Echo Requests. If your environment blocks internal ICMP requests then you can enable them via GPO and the Windows Firewall.

The Heartbeat feature is configured using the Preferences command under the Admin Arsenal menu from the main window.

Thanks to Chris Avis for pointing out the new Microsoft Thrive effort for techies. It's coming at a good time as some of our kindred are finding themselves polishing up their resumes.

I remember in 2001 when a large food distribution company was hiring for one Windows NT server position. My brother-in-law was in charge of filling the position. He had over one hundred resumes coming in, and the guy they eventually settled on was willing to take 40k per year, vastly lower than he was getting only a year earlier.

If you are finding it difficult to land a job I strongly suggest using all the resources available to you, including some very focused training. Don't discount seminars and conferences. True, they cost some coin, but to use the often quoted cliche, "How much is your career worth to you?"

Kudos to Microsoft for making a good effort in providing options for their evangelists.

One thing that I've always enjoyed about working on Apple OS X is the ability to mount disk images. These act as though they were physical disk drives, however they are just files. One of the best uses for this technology is to mount CD and DVD images. More and more software is being delivered as ISO disk images, which are meant to be burned to physical media before use. Much of Microsoft's MSDN library of software comes as ISO files from their servers. It's tedious to have to burn them to disk before use. What's an admin to do?

Enter SlySoft's Virtual CloneDrive. This slick and free package installs a driver which allows you to mount DVD and CD files on a virtual drive. It really couldn't be any easier.

1. Download the installer from SlySoft - The installer is a svelt 1.4 MB.
2. Run the installer and answer questions about install location, file associations, and shortcuts.
3. Be sure to continue through the unsigned driver warning (if you're on XP, I haven't tested on Vista). Unfortunately, the driver isn't signed, but I can easily let that slide for the price.
4. No need to even reboot (in my experience). Suddenly you will have a new DVD drive show up.
5. Double click on an ISO file.

That's it! 5 minutes start to finish and you can install from those pesky ISO files without going through the trouble of burning them. It even works over a network, so you can keep a library of installer DVDs on a file share for everyone to use.

Video Demo of Installing Virtual CloneDrive

I tip my hat to the people at SlySoft for making my life, and hopefully yours, easier. Thanks guys!

Your users are complaining that they are constantly seeing a reminder window to update Java. They usually want to know one or more of the following:

1. Should I install the update?
2. Should I ignore the update?
3. Can I have these notifications disabled?

Since most applications keep their respective configurations in the Windows Registry it is a good bet that you can reach your desired goals by modifying the registry.

Note: I hate the phrase "hack the registry". You can only "hack" the registry if you make a change to the registry that wasn't intended to be made. Most areas of the registry are made to be modified, either manually or automatically, so it is as much of a "hack" to modify a value in the registry as it is to modify a sentence in a Microsoft Word document.

By looking online (thank you Google) I was easily able to find the modification needed to turn off Updates for Java. Here is the following Registry Key that you need to modify:

HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy

Turn off the Java Update feature by setting the EnableJavaUpdate value to "0". This will not only prevent the user from seeing the update requests, but it will also prevent them from updating at all. When you, as the administrator, are ready to update Java across your environment you can do so in an orderly and efficient way with software deployment.

To turn off the Java Update feature on mulitple machines, I suggest using the Remote Command feature in Admin Arsenal. The following command will turn off Java Updates:

REG ADD "HKLM\SOFTWARE\JavaSoft\Java Update\Policy" /v EnableJavaUpdate /t REG_DWORD /d 0 /f

The above command basically states: Add (or modify) the EnableJavaUpdate value to "0" and the type is DWord. The /f option forces an overwrite, which you will want to set if you are going to make this change en masse.

You can find the usage options for REG.EXE by running the following command from your Command Prompt:

REG /?

and

REG ADD /?

Run your desired command on multiple computers at once (above we have selected an entire Collection) 

In Admin Arsenal, collection folders are handy to keep your collections organized, especially when you start to get a lot of collections to keep track of. What you may not realize is that folders can also hold computers. This is accomplished by Collection Folder Rollup.

Rollup refers to the ability of folders to look at each collection inside of them, combine all of the computers in each, and roll them up into a single list. This is especially useful when the criteria for your collections is hierarchical in nature. Consider the following example:

This hierarchy works great if you want to quickly see which computers are servers, or only the servers with Windows 2008. To get the computers to flow up into the folders, you need to set the Collection Folder Rollup property of each folder. This is done by right clicking on the folder.

You have three choices for rollup.

1. No Children - Don't do any roll up, the folder contains no computers.
2. All Children - Include any computers which are in all of the child collections. A computer must show up in every collection to be in the folder.
3. Any Children - Include computers if they appear in any child collection. This is the choice that we want for the example above.

Once you have your collection folders rolling up computers, you can use them everywhere you would use a static or dynamic collection.