Christjan's IT Minutes » Dynamically fix invalid ClientKeyData issue on central site:
Great little article to fix DDR ClientKeyData mismatch messages from a central site in SCCM 2007.
Welcome to my blog...it is just a bunch of random notes to myself, for myself, and if it happens to help someone else...cool. I am currently working for a large consulting company which supports a national nonprofit organization with 23000 workstations and 250 configuration servers.
Monday, December 3, 2012
Friday, November 2, 2012
SCCM Console Permission Issue
Normally setting up SCCM permissions is pretty straight-forward. However, a couple weeks ago we applied a couple server patches and rebooted our central site server. By Monday, our level 2 help desk users stopped having access to the SCCM console. First we tried checking to see what changed over the weekend. Did someone modify an AD group?
Here was the main Microsoft article that we were focused on. Unfortunately we didn't see the helpful tasks at the bottom until today.
http://technet.microsoft.com/en-us/library/bb932213.aspx
We got trapped looking at DCOM permissions shown under this article.
http://technet.microsoft.com/en-us/library/bb633148.aspx
When we finally looked at WMI permissions by using this test.
http://technet.microsoft.com/en-us/library/bb932190.aspx
After finding a problem connecting to the WMI namespace, we then used this article to recreate the correct permissions for the local "SMS Admins" group.
http://technet.microsoft.com/en-us/library/bb932151.aspx
Here was the main Microsoft article that we were focused on. Unfortunately we didn't see the helpful tasks at the bottom until today.
http://technet.microsoft.com/en-us/library/bb932213.aspx
We got trapped looking at DCOM permissions shown under this article.
http://technet.microsoft.com/en-us/library/bb633148.aspx
When we finally looked at WMI permissions by using this test.
http://technet.microsoft.com/en-us/library/bb932190.aspx
After finding a problem connecting to the WMI namespace, we then used this article to recreate the correct permissions for the local "SMS Admins" group.
http://technet.microsoft.com/en-us/library/bb932151.aspx
Tuesday, September 11, 2012
SCCM 2007 Windows 7 Project Dashboard
My major project for this year is preparing, designing, and building a process and methodology for upgrading 5000+ XP workstations to Windows 7 at the hospital. Upgrading to Windows 7 is a major project and took a number of resources. Me and my partner were only responsible for building the OS and using the SCCM tools. There was a Desktop Manager to handle purchasing the hardware and make decisions on where that hardware us used. There was a project manager who was very useful just keeping everybody in line and keeping track of what was said in previous meetings. There was an Applications Manager who managed a team of individuals who would have to test all our applications with Windows 7 (later on Windows 7 with 64-bit). And of course we had a Desktop Team lead who managed the resources necessary for moving hardware around and interfacing with the customer/clients.
The project started in January as a hardware attrition model whereby we would replace XP workstations with new hardware with Windows 7. Not surprisingly, we only received the budget to replace 10-12% of our inventory. If anyone is keeping track, that would put the end date for this project at best into 2020 and at worst 2022 -- time for plan B, upgrading current hardware.
It took my partner and I three months to build a decent Windows 7 Operating System Deployment task sequence. From there we added local User State Migration but asked for some direct Microsoft Professional Field Engineer (PFE) to verify our process and make sure that we approached USMT for 5000 without too much egg on our face. Microsoft helped us leverage Microsoft Deployment Toolkit (MDT) 2012 and tweaked our USMT. Best of all they gave the USMT the stamp of approval for which I was looking.
Here is the Windows 7 Dashboard I built and the queries used to create it:
Left side:
SELECT OPSYS.Caption0 as C054, COUNT(*) AS 'Count'
FROM v_GS_OPERATING_SYSTEM OPSYS
inner join v_R_System sys on OPSYS.ResourceID=sys.ResourceID
join v_FullCollectionMembership SYS1 on SYS1.ResourceID=SYS.ResourceID
WHERE SYS1.CollectionID = 'CM0004C5'
GROUP BY OPSYS.Caption0
ORDER BY Count DESC
Right side:
DECLARE @daysleft int, @workdaysleft int, @targetdate datetime, @previousos nvarchar(30)
SET @previousos = '%Microsoft Windows XP%'
SET @targetdate = '2013-04-30'
SET @daysleft = DATEDIFF(day, GETDATE(), @targetdate)
SET @workdaysleft = (@daysleft*5)/7
SELECT
CAST(GETDATE() AS nvarchar(30)) AS 'Today',
CAST(@targetdate AS nvarchar(30)) AS 'Target Date',
@daysleft AS 'Days Left',
@workdaysleft AS 'Work Days Left',
OPSYS.Caption0 as 'Previous OS',
COUNT(*) AS 'Count',
COUNT(*)/@workdaysleft AS 'Upgrades Per Day'
FROM v_GS_OPERATING_SYSTEM OPSYS
inner join v_R_System sys on OPSYS.ResourceID=sys.ResourceID
join v_FullCollectionMembership SYS1 on SYS1.ResourceID=SYS.ResourceID
WHERE SYS1.CollectionID = 'CM0004C5'
AND OPSYS.Caption0 like @previousos
--WHERE SYS1.CollectionID = @CollID
GROUP BY OPSYS.Caption0
ORDER BY OPSYS.Caption0
Friday, August 24, 2012
Enterprise Auto-Login Application for Windows Desktop
Here is a wishlist for an Enterprise Auto-Login application for the hospital where I work.
First the behind-the-scene story: We have a high number of shared workstations that do not rely on Windows Authentication for security but instead opt for Application specific authentication. These are kiosk stations where person after person needs to walk up, log into the application, read or post medical information and walk away. Medical standards require us to use application specific authentication for tracking access to patient records. Most of these devices are just Citrix windows into the medical applications.
We are currently using a text file to comma-delimited the username, the password, and the computer name. We then have a login script that uses that parses that text file and populates the correct registry key for AutoLogin and ForceLogin.
Here is what I brainstormed as a possible application that we could build in-house or outsource. I couldn't find any comparable application on the market. If anyone wants to run with this idea, just let me know so that our hospital can buy it :)
First the behind-the-scene story: We have a high number of shared workstations that do not rely on Windows Authentication for security but instead opt for Application specific authentication. These are kiosk stations where person after person needs to walk up, log into the application, read or post medical information and walk away. Medical standards require us to use application specific authentication for tracking access to patient records. Most of these devices are just Citrix windows into the medical applications.
We are currently using a text file to comma-delimited the username, the password, and the computer name. We then have a login script that uses that parses that text file and populates the correct registry key for AutoLogin and ForceLogin.
Here is what I brainstormed as a possible application that we could build in-house or outsource. I couldn't find any comparable application on the market. If anyone wants to run with this idea, just let me know so that our hospital can buy it :)
- Switch to using Microsoft's AD Lightweight database (LDAP) or some other SQL application
- encrypt and salt the password field with sha256 hash
- No person ever needs to know the password so the passwords should be randomly generated
- the passwords should change every 30 days
- The username can be randomly generated but needs to have some pattern (ie. auto-FF342D)
- The table would be basic computername, username, and hashed password
- This application should have the AD rights to create usernames and modify passwords
- If a password gets lost in transit, just recreate a new password
Right now the client uses the login script to read from the text file and create the correct registry changes so an equivalent program or script would need to be run on the workstations.
- Read content from the database and query based on the computername
- Modify the local registry if it finds a match
- AutoLogon = 1
- ForceLogon = 1 or 0
- My understanding from SysInternals Autologon application that there is a better way to store passwords in the registry
- When no match is found in the database, the local app should reset AutoLogon = 0
Monday, May 14, 2012
Root Droid Incredible from 2.3.4
I wasn't able to follow any other advice on how to root my Droid Incredible once I upgraded to Verizon's Gingerbread 2.3.4. I found some articles describing how to downgrade the firmware and then use unrevoked to root the phone but I had no luck getting these instructions to work. Instead, I followed my own path using HTC's bootloader unlock tool which was released for the Droid Incredible.
My only complaint with HTC's bootloader unlock tool was the necessity for using Windows to unlock the phone. I attempted to use Wine under Ubuntu with no success. I have a virtual Windows 7 using VirtualBox that may have worked but I was tired and decided to use another computer in my office.
My Goal:
Install CyanogenMod and try out an Ice Cream Sandwich build CM9Issues with Ice Cream Sandwich on Droid Incredible at the time of writing:
- Video Recording doesn't seem to work -- other camera functions seem to work just fine
- Once rooted, can't rent Movies from Google Play store.
- Netflix fails playing back video -- Audio works with a blank picture, there are reports that the DRM is broken and won't be fixable
- Composite video output via special cable has never worked on CyanogenMod and I didn't expect it to magically work. I believe, HTC created the video output prior to Android having an API for HDMI outputs let alone working with composite video.
- I don't have Verizon service on this phone any longer so I can't test phone functionality but I was able to get it to call *228 to try to register with Verizon and I have gotten phone to work with previous versions of CyanogenMod.
You will need:
- One Microsoft Windows Computer to unlock the bootloader
- One Compuer (Can be the same computer as above) with Android SDK tools (adb) -- Ubuntu Linux is my main computer
- One Droid Incredible with USB Debugging turned on
- One SD Card -- I'm using a 16 GB card. SD content is not touched following my instructions but be careful there are some options that will format your card and then your backups and other content will be deleted.
- Bootloader: the BIOS of the phone -- Navigate through this using Volume Up/Down and Power Button as the Enter key
- Recovery: Recovery partition and application used to reset the phone to factory defaults. Can be customized using CyanogenMod's Clockwork recovery which gives more flexibility than Verizon/HTC's stock recovery
Here are the steps:
- Follow HTC's instructions for unlocking the bootloader on the Droid Incredible
- Reboot the unlocked phone to Bootloader by holding the Volume Down while pressing Power to turn on the phone.
- Select Fastboot (not available if device is not unlocked) (Use Volume Up/Down to select and the Power Button as Enter Key in this mode)
- Download or compile fastboot for your OS of choice (Again I'm using Ubuntu Linux)
- run 'fastboot flash recovery recovery-clockwork-5.0.2.0-inc.img'
- run 'fastboot reboot'
- Hold the Volume Down key while booting to get to the Bootloader and Choose 'Recovery' to start the recovery-clockwork application.
- Clockwork Recovery
- First let's make a backup of Verizon's 2.3.4 Droid Incredible -- Choose 'backup and restore' (In this application Volume Up/Down are used for selection and the optical joystick button is used for Enter -- Power Button is now used as a screen saver)
- This will save the backup to a folder on the sdcard under clockworkmod
- Choose to install zip from sdcard
- Navigate to %ICS%.zip
- After successfully applying the image zip, then choose 'wipe data/factory reset'
- This is done because we are using an entirely different system -- there is no easy upgrade path. Without the factory reset you may get a number of errors
- Next we need to apply the gapps zip for CM9
- Finally 'reboot system now' and wait for ICS to build some packages for the first time.
I'll try to fill in more details and take some pictures of the Bootloader and the Recovery Screens.
Friday, May 4, 2012
Achieved Handbrake on Ubuntu 12.04 Precise Pangolin
I upgraded to Ubuntu's newest version 12.04 Precise Pangolin earlier this week and ran into a problem with Handbrake working. The website offers a ppa repository that unfortunately does not have an updated binary package or repository for the new version of Ubuntu.
Being from old school Debian :) I knew that there was some ~easy way to install Handbrake through the deb-src of the older version of the source repository. Add this to your /etc/apt/source.list or /etc/apt/source.list.d/stebbins-handbrake-releases-precise.list
Follow these steps that I got from Debian's Manual:
Being from old school Debian :) I knew that there was some ~easy way to install Handbrake through the deb-src of the older version of the source repository. Add this to your /etc/apt/source.list or /etc/apt/source.list.d/stebbins-handbrake-releases-precise.list
deb-src http://ppa.launchpad.net/stebbins/handbrake-releases/ubuntu oneiric mainThen run 'sudo apt-get update' or 'sudo aptitude update' to update the local software database.
Follow these steps that I got from Debian's Manual:
- Now, first get the source package:
- apt-get source foo
- and change to the source tree:
- cd foo-*
- Then install needed build-dependencies (if any):
- sudo apt-get build-dep foo
- Then create a dedicated version of your own build (so that you won't get confused later when Debian itself releases a new version)
- dch -l local 'Blah blah blah'
- And finally build your package
- debuild -us -uc
- If everything worked out fine, you should now be able to install your package by running
- sudo dpkg -i ../*.deb
Tuesday, May 1, 2012
SCCM 2007 Reboot Report
We unfortunately have some devices inside our hospital that cannot be rebooted after applying updates. These are not critical patient care devices but they are used sporadically 24/7 and therefore we cannot schedule a clean reboot. For example, we have a computer that is being used during a sleep study that is not directly used all night long (cannot click postpone reboot) but that nevertheless needs to be managed. Our current solution is to apply updates to a specific group of computers and then have our application team manage rebooting those machines at their convenience.
We needed a report that could be used to show when the last time a computer was rebooted based off of a collection. This is what I was able to come up with:
We needed a report that could be used to show when the last time a computer was rebooted based off of a collection. This is what I was able to come up with:
SELECT DISTINCT
sys.netbios_name0 AS [Computer Name],
[Top Console User] = CASE
when (v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP.TopConsoleUser0 is NULL or v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP.TopConsoleUser0 = '-1')
then 'Unknown'
Else v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP.TopConsoleUser0
End,
CONVERT(VARCHAR(10),os.LastBootUpTime0,101) AS [Bootup Time],
Datediff(dd, os.LastBootUpTime0, GetDate()) AS [Days Since Last Reboot],
CONVERT(VARCHAR(10),wss.LastHWScan,101) AS [Last Inventory]
FROM
dbo.v_R_System_Valid AS sys
LEFT JOIN dbo.v_GS_Operating_system AS os
ON sys.resourceID = os.resourceID
LEFT JOIN dbo.v_GS_Workstation_Status AS wss
ON sys.resourceID = wss.resourceID
left join v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP on (v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP.ResourceID = sys.ResourceID)
inner join v_FullCollectionMembership on (v_FullCollectionMembership.ResourceID = sys.ResourceID)
WHERE
v_FullCollectionMembership.CollectionID = @CollectionID
ORDER BY
[Days Since Last Reboot] DESC
Friday, January 27, 2012
Kindle Fire 6.2.2 on Linux
How to root the Kindle Fire (updated for 6.2.2) – New Tech Gadgets & Electronic Devices | Geek.com:
This is a great guide but missed some critical differences when trying to work on a Linux machine (probably a Macintosh too)
This is a great guide but missed some critical differences when trying to work on a Linux machine (probably a Macintosh too)
On step 2, you need to make 2 changes on Linux. One found under your local android preferences folder ~/.android/adb_usb.ini
1. Add 0×1949
2. Add 3 lines to your /etc/udev/rules.d/51-android.rules
# Amazon Kindle Fire
SUBSYSTEM=="usb", ATTR{idVendor}=="1949", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="1949", ATTR{idProduct}=="0006", SYMLINK+="android_adb"
SUBSYSTEM=="usb", ATTR{idVendor}=="1949", ATTR{idProduct}=="0006", SYMLINK+="android_fastboot"
http://aur.archlinux.org/packages.php?ID=51476
On step 3 they forgot to tell you to download a SU Binary
http://channelandroid.com/2011/08/25/droid3-with-superuser-and-su/
Here are the next steps for TWRP 2.0 installed
On step 3 they forgot to tell you to download a SU Binary
http://channelandroid.com/2011/08/25/droid3-with-superuser-and-su/
Here are the next steps for TWRP 2.0 installed
Download file above. Execute the commands below from the command prompt with your Kindle connected to the PC.
adb shell
su
idme bootmode 4002
fastboot -i 0x1949 boot twrp-blaze-2.0.0RC0.img
Subscribe to:
Posts (Atom)