Admin Guide. Version Lieberman Software Corporation

(1)

Admin Guide

Version 7.50

(2)

The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited.

Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If there are any problems in the

documentation, please report them to Lieberman Software in writing. Lieberman Software does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software.

Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other brands and product names are trademarks of their respective owners.

Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067 310.550.8575 Internet E-Mail: [email protected] Website: http://www.liebsoft.com

(3)

This chapter includes an overview of what User Manager Pro's goals are, knowledge that users are assumed to have, some background information on User Manager Pro's multi-threaded nature and performance information, and a background on the nature of how groups and actions work in Windows. Also in this chapter you can find directions to the License Agreement and a copy of the limited warranty agreement that come with the software.

IN THIS CHAPTER

Overview ... 1

Prerequisite Knowledge ... 2

Performance Notes ... 2

License Agreement ... 3

Limited Warranty ... 4

OVERVIEW

Welcome to User Manager Pro. If you have purchased the product, read on to discover all the features at your disposal. If you are just evaluating the product, we hope you will be very pleased with its capabilities.

If you are familiar with NT’s User Manager or User Manager for Domains, Computer Management in Windows 2000 and later, or Active Directory, you will find User Manager Pro's user and group management features very familiar. However, instead of making changes to only one machine or domain controller, you can control thousands of machines with a single mouse click - with all of the results logged to a human readable text file.

But user and group management is only the beginning. With rights and auditing changes, advanced registry editing, reporting, remote reboot, automatic deferred retry, Wake on LAN, IP Scanning, and many other features, User Manager Pro is one of the most advanced and functional high- performance administration tools you can use.

If you have ever bothered with PERL, VB or Kixtart scripts to control the configuration of your Windows users, groups, rights, registry or policies on your workstations, you will be exceptionally happy with the speed, ease of use, and power that this tool gives you.

(9)

PREREQUISITE KNOWLEDGE

Before we begin, we assume that you are already an experienced Administrator for Microsoft Windows. You should be familiar with basic networking, managing users and groups, and typical administration tasks. More advanced operations may require more specialized knowledge. User Manager Pro is designed to make administration tasks quick and easy for the skilled administrator; not to teach administration. If you have problems or need assistance in the installation and operation of this product, you can contact us for assistance - we want your installation and operation to be a smooth and successful experience.

If you plan on using a Microsoft SQL Server installation to store the reporting data for reports generated in User Manager Pro, we recommend that you be familiar with the administrative concerns that go along with updating and maintaining an instance of SQL Server (or have a database administrator that is familiar with these issues). Topics that you should be aware of include: Securing the database, creating access roles to allow access to your users, patching the database and keeping up to date with updates, backing up/or and auditing the database to ensure you don't lose your stored data.

You can keep up to date on the latest upgrades via our web site at http://www.liebsoft.com, or you can email us at: [email protected].

PERFORMANCE NOTES

Most operations take about one second per system or less. Operations on large groups of systems are processed in parallel so you will see many operations completing simultaneously.

User Manager Pro is a multi-threaded management system (by default User Manager Pro will use up to 100 worker threads). The software will automatically exploit all available processors to enhance the performance of the program.

User Manager Pro operations utilize only moderate network bandwidth, and do not exceed the bandwidth requirements of comparable operations using built-in Windows tools.

When operating over a WAN (Wide Area Network), you will see some degradation in overall completion times due to packet transmission delays. Because of User Manager Pro's multi-threaded operation, communication with many systems will be happening concurrently, so network delays will not be cumulative.

If you chose to cancel multi-threaded operations in User Manager Pro, you must wait for all running threads to complete or time-out before performing another operation. There is almost always an on screen indicator that shows that current number of active threads.

(10)

LICENSE AGREEMENT

This is a legal and binding contract between you, the end user, and Lieberman Software Corporation. By using this software, you agree to be bound by the terms of this agreement. If you do not agree to the terms of this agreement, you should return the software and documentation as well as all accompanying items promptly for a refund.

1. Your Rights: Lieberman Software hereby grants you the right to use User Manager Pro to manage the licensed number of systems purchased. This software is licensed for use by a single client and its

designated employees, contractors and authorized 3rd parties to manage the systems owned/used by a single client. The software license may not be shared with unrelated 3rd parties.

The serial number provided by Lieberman Software is designed for installation on a specific machine. You many install an unlimited number of copies of User Manager Pro for your administrators that connect to the single licensed machine. All administrators can share the pool of purchased managed node licenses.

There are no limits to the number of web servers or clients that may access the data stored by your licensed copy of User Manager Pro. You may install and use the “User Manager Pro: Web Interface to Random Password Generator Password Recovery Console” with your duly licensed copy of User Manager Pro + Random Password Generator without any additional payment to Lieberman Software.

The cost of Microsoft web servers, SSL certificates, and other supporting equipment and technology are the sole responsibility of the user of this software-not Lieberman Software.

2. Copyright. The SOFTWARE is owned by Lieberman Software and is protected by United States copyright law and international treaty provisions. Therefore, you must treat the software like any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes. The manual is a copyrighted work also--you may not make copies of the manual for any purpose other than the use of the software. 3. Other Restrictions: You may not rent, lease, or transfer the SOFTWARE to any other entity. You may not reverse engineer, de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If the SOFTWARE is an update, any transfer must include the update and all prior versions.

4. Notice: This software contains functionality designed to periodically notify Lieberman Software of demo usage and of the detection of suspected pirated license keys. By using this software, you consent to allow the software to send information to Lieberman Software under these circumstances, and you agree to not hold Lieberman Software responsible for the use of any or all of the information by Lieberman Software or any third party.

(11)

When used lawfully, this software periodically transmits to us the serial number and network

identification information of the machine running the software. No personally identifiable information or usage details are transmitted to us in this case. The program does not contain any spyware or remote control functionality that may be activated remotely by us or any other 3rd party.

Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067 310.550.8575 Internet E-Mail: [email protected] Website: http://www.liebsoft.com

LIMITED WARRANTY

The media (optional) and manual that make up this software are warranted by Lieberman Software Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of your purchase. If you notify us within the warranty period of such defects in material and workmanship, we will replace the defective manual or media.

The sole remedy for breach of this warranty is limited to replacement of defective materials and/or refund of purchase price and does not include any other kinds of damages.

Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without

warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the

programs or documentation of/for consequences of any such errors. This agreement is governed by the laws of the State of California.

Should you have any questions concerning this Agreement, or if you wish to contact Lieberman Software, please write:

Lieberman Software Corporation 1900 Avenue of the Stars

(12)

Los Angeles CA 90067

You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or e-mail us at: [email protected].

(13)

(14)

The initial screen of User Manager Pro presents a list of machine management sets that can be managed. These management sets will contain the systems that will be managed or reported on. There are no hard limitations on the number of management sets that can be created. Management Sets may be created based on management requirements and/or the topology of the network. Many customers create sets for domain controllers, Servers, Workstations, different physical locations, and LAN/WAN sites. The advantage of management sets is to present systems in an organized way to perform administration.

There are two different types of management sets in User Manager Pro, simple (see "Adding Systems to a Simple Management Set" on page 17) and dynamic (see "Adding Systems to a Dynamic Management Set" on page 30). Simple management sets have static lists for system membership. Dynamic

management sets are defined by ranges where all systems within those ranges are included in the management set. Dynamic management sets can be used to manage a set of systems that are defined by a domain, an Active Directory OU, or a specific IP address range, where the actual systems in that may vary.

(15)

Initially there are no management sets, so at least one must be added (see "Create Management Sets" on page 12). Then proceed with populating the management set with machines (see "Adding Systems to a Simple Management Set" on page 17), followed by reporting on and/or making changes to those same systems.

On the bottom right side of the screen is the current License Mode. Local Machine means a license is installed on the local system. If the entry is Remote: ServerXXX then a license key is being shared from the named server.

On the bottom left side of the screen are options to manage management sets. Activate launches the management interface of the selected management set, Add creates a new simple management sets to manage, and Delete deletes the (highlighted) management set(s) from the list of management sets.

IN THIS CHAPTER

Main Dialog Pull-Down Menus ... 8

MAIN DIALOG PULL-DOWN MENUS

SETTINGS



General Options - Set up the general program options like threading, wait time, and process order.



Logging Options - View, print, or change the save location of User Manager Pro's log file.



Reporting Datastore Options - Configure User Manager Pro to use the registry or a SQL database as its reporting data store.

PROGRAM



Backup Internal Database to RegEdit File - Copies the entire internal database used by the program to a RegEdit file.



Restore Internal Database from RegEdit File - Restores the entire internal program database from a RegEdit file.



Delete Internal Database - Removes the internal program database from the registry.

(16)



Import from Comma-Delimited File - Updates management sets from a comma-delimited backup file.



Import from ODBC Datasource - Updates management sets from an ODBC data source.



Export to Comma-Delimited File - Copies the management set list and members database to a comma-delimited file.



Import Settings from Remote License Server - Import program settings from the remote license server.



Export Settings to Remote License Server - Export the system settings to the remote license server.



Scan IP Rangers for Systems - Use the IP Scanner to add/update systems.



Activate Selected Management Set - Open the currently selected management set.



Add Simple Management Set - Creates a new empty management set.



Add Dynamic Management Set - Creates a new empty dynamic management set.



Remove Selected Management Set - Remove a management set from the program.



Management Set Properties - Change the name of a management set or change the management set comment.



Find Systems in Management Sets - Locate a specific system in a management set.

DEFERREDPROCESSING



Jobs Monitor - Opens the Jobs Monitor dialog.



Retry Policy - Opens the Retry Policy dialog to adjust handling of errors.

HELP



Help Contents - Displays this help file.



Show Tip of the Day - Shows the Tip of the Day.



License Token Management - The License Token Dialog allows assigning or releasing license keys to systems.



Licensed Components - Displays a list of the features that are enabled.



Register - Allows entering registration information.



Show Logon Info - Displays current logon information.



Revision History - Displays the product's revision history.



Check For Updates - Checks the web for any recent updates to User Manager Pro

(17)

(18)

Systems that will be managed are organized into lists called management sets. This allows creation of logical groupings of systems based on their type, operating system version, physical location, or any other personal organization scheme.

This chapter describes how to create and manage lists of systems. A system must be located in one or more management set before performing operations on it. This chapter includes all the ways to add or remove systems from the program as well as the ways to backup system list and program data.

There are multiple ways to add systems to the current management set.

To access these features, either select them off the context menu (right click in the systems list window) or click on the SystemsList menu option.

Add from Domain List (see "Add From Domain Systems List" on page 18) - This is the fastest way of adding systems that have joined a trusted domain. This uses the NT4 style domain browser.

Add from Browse List (see "Add From Network Browse List" on page 19) - The easiest way to find machines using the network browse list.

Add from Shell Browser (see "Add From Shell Network Browse List" on page 21) - Add systems from the Windows shell network browser.

Add Systems Manually (on page 22) - For machines that are not visible or have not joined the domain. Add from Active Directory (on page 24) - To add machines using the Object Picker under Windows 2000 and later.

Add from IP Scanner - Add machines by specifying IP Address ranges or domains. Import Systems List from a Text File - Import a list of systems from a text File. Export Systems List to a Text File - Export a list of systems to a text File.

MANAGED SYSTEMS LISTS

(19)

IN THIS CHAPTER

Create Management Sets ... 12

Exclusion List ... 16

Adding Systems to a Simple Management Set ... 17

Adding Systems to a Dynamic Management Set ... 30

Change Management Set Properties ... 47

Import Management Sets ... 49

Backup Management Sets ... 55

Delete Management Set ... 57

Delete Internal Database ... 57

CREATE MANAGEMENT SETS

Choose to create a dynamic management set or a simple management set. Dynamic management sets contain a variable list of systems and are built on criteria such as location on Active Directory, domain membership, or operating system type. This list of systems is updated automatically. Simple

management sets are managed entirely by hand.

Choose one of three ways to create a dynamic management set (see "Adding Systems to a Dynamic Management Set" on page 30):



Click on the Add button from the Management Set to Manage Panel.



Select the Add Dynamic Management Set option from the Groups menu.



Select the Add Dynamic Management Set option from the context menu (right-click menu). Choose one of the three ways to create a simple management set (see "Adding Systems to a Simple Management Set" on page 17):

(20)



Click on the Add button from the Management Set to Manage panel.



Select the Add Simple Management Set option from the Groups menu.



Select Add Simple Management Set from the context menu (right-click menu).

(21)



A simple management set that contains only the local host system.



A dynamic management set that uses the local domain as the source from which to draw a list of systems.



A custom simple (see "Adding Systems to a Simple Management Set" on page 17) management set that has no members. Manually choose which systems to add to the management set.



A custom dynamic (see "Adding Systems to a Dynamic Management Set" on page 30) management set that has no initial settings. Define the criteria that the management set will use to populate itself.

(22)

After selecting an option to add a new management set, additional steps may be required based on the selection. If creating a management set with only the local system, a window like the one below will open and already have the UMP host system in it. If creating a management set with all the systems in the same domain as the local system in it, a windows like the one below will open with all systems from the local domain (as according to the local domain controller) will open. If creating a custom simple management set, the window below will open with no systems added. If creating a custom dynamic management set, the dynamic properties dialog will open and criteria must be provided to dynamically build the list of systems for the management set.

(23)

EXCLUSION LIST

The Exclusion list allows specifying system names that this tool will not be allowed to modify or report on. These could be servers or administrator machines, or maybe just sensitive machines. The exclusion list is program wide. This menu can be accessed from the Systems Excluded from all Operations under the SystemsList menu of any management set.

Shown Below is the Exclusion List dialog.

Use the Add and Delete buttons to manually change the Exclusion List entries or use the Import List button to load a line delimited text list of systems.

If making a change to a system in the Exclusion List, a special confirmation pop-up confirming the change will appear.

(24)

ADDING SYSTEMS TO A SIMPLE MANAGEMENT SET

There are various different ways to add systems to a management set manually once the set has been created:



Add from domain systems list.



Add from network browse list.



Add from shell network browse list.



Add systems manually by name



Add from Active Directory



Add from scanned IP ranges.



Import/Export Systems List from text file.

These methods are in addition to the IP Scanner and ODBC query, which can both be used to create a new management set.

(25)

ADD FROM DOMAIN SYSTEMS LIST

Shown below is the Add from Domain List dialog.

The fastest method of adding Windows systems to this program is to inquire at the Domain Controller for the list of machines which have joined the domain. There are a few confusing cases when viewing servers in the domain list. The machine list may not represent all of the machines on the network (some machines may not have joined the domain). The list usually contains systems that have left the domain, but have not been purged from the domain database.

After adding machines to the Selected Systems list, use the Platform? button to verify the connectivity, credentials, and version of the selected systems. The Platform? feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added.

(26)

The Platform field indicates what operating system type is running.

The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing Platform?), there are columns to display the Platform, Version (4.0 is NT, 5.0 is Windows 2000, 5.1 is Windows XP, 5.2 is Server 2003, 6.0 is Windows Vista/2008, 6.1 is 7/2008R2, 6.2 is 8/2012, 6.3 is 8.1/2012R2), Role, and Net Services.

The Net Services field indicates which network services are running on each system. It is normal for both a Workstation and Server to both have the Workstation and Server services running.

When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

ADD FROM NETWORK BROWSE LIST

(27)

To add a machine using the Network Neighborhood browsing architecture of the operating system, press the Insert key on the keyboard or the Browse button on the Manage Systems dialog.

If working with systems that have not joined a domain (workgroups), the easiest way to find and add them is to use the Network Browser architecture of Windows. This dialog allows browsing the different network providers (Microsoft, Novell, Banyan), and then drill down to find the different machines on each network.

The Platform field indicates what operating system type is running.

(28)

ADD FROM SHELL NETWORK BROWSE LIST

The Shell Network Browser dialog allows browsing the network for systems to add using the shell's browse functionality. This may be helpful for adding machines from organizational units in Active Directory, since the shell allows browsing of the Active Directory hierarchy. In this view, organizational units are represented as folders in the hierarchy. If creating a separate set for each organizational unit in the company, populate the sets easily using this dialog.

(29)

ADD SYSTEMS MANUALLY

Shown below is the Add Systems Manually dialog.

In cases where machines are not visible within the Network Neighborhood, and have not joined the domain, systems may need to be added manually.

(30)

(31)

ADD FROM ACTIVE DIRECTORY

Shown Below is the Add Systems from Active Directory dialog on the Active Directory Browse page.

When running on Windows 2000 or later, a special Active Directory control known as the Object Picker may be used to find systems. The default options for the control are to show both up-level (native and mixed mode) systems, as well as, down level systems (NT). Options to search any desired domain controller or selection of a desired directory can be specified here.

(32)

BROWSE OPTIONS

Shown below is the Browse Options page of the Add From Active Directory Dialog.

The Browse Options page shows the available options to put into effect when the "Browse…" button is clicked on the first page. There is typically no need to change the browse options, but if changes are made on the "Browse Options" page and then return to the first page and then click on the "Browse" button to see the results of the new options.

The default options are to browse for machines in up level and down level domains to which the host system is joined. The default domain is the currently logged on user account is authenticated with and the search is performed from the local machine.

ACTIVE DIRECTORY BROWSE OPTIONS –TARGET COMPUTER

These options allow controlling where searches are to be performed. Normally these options should be ignored. Use these options to extract machine lists from foreign/non-Active Directory domains.

(33)

Skip Target Domain Controller Check - Set this flag if the computer is not a domain controller, to save time. However, if the machine is a domain controller, this flag would not typically be set. It is usually best to select domain objects from the domain scope rather than from the domain controller itself.

Target Computer (optional) – Allows specifying where to execute the search via the text entry field below the check box. Set the check box and set the field to a non-Active Directory domain controller to see a list of machines that have joined that domain (The "Skip Target Domain Controller Check" should be unchecked in this scenario). If the "Target Computer" entry field is blank, the current machine is the target computer.

ACTIVE DIRECTORY SCOPE OF PROVIDER SEARCH

These options allow controlling which data source is to be used for the machine search. Generally, leave all of these options unchecked.

Force Starting Scope as… - Sets the first entry in the "Look in" drop down to the option selection. Normally the drop down will default to its own choice.

Provider… - These options are different data sources for searches.

LOOK-IN OPTIONS

Up level Joined Domain - Search the up level domain to which the target computer is joined. If this flag is set, use the "Up level Domain Controller" entry field to specify the name of a domain controller in the joined domain.

Up level Domain Controller Field - This field can be blank even if the "Up level Joined Domain" is checked, in which case, the dialog box looks up the domain controller. This entry field enables specifying a domain controller in a multi-master domain. For example, an administrative application might make changes on a domain controller in a multi-master domain, and then open the object picker dialog box before the changes have been replicated on the other domain controllers.

Down level Joined Domain – Search the down level domain to which the UMP host computer is joined. Enterprise Domain – Search all Active Directory domains in the enterprise to which the target computer belongs. If the Up level Joined Domain check box is set, then the results represent all Active Directory domains in the enterprise except the joined domain.

External Up level Domain – Search all up level domains external to the enterprise but trusted by the domain to which the target computer is joined.

External Down level Domain – Search all down level domains external to the enterprise but trusted by the domain to which the target computer is joined.

Workgroup – Search the workgroup to which the target computer is joined. Applies only if the target computer is not joined to a domain.

(34)

User Entered Up level Scope – Enables entry of an up level scope. If neither of the "USER ENTERED…" types is specified, the dialog box restricts the query to the scopes in the "Look in" drop-down list. User Entered Down level Scope - Enables entering a down level scope.

(35)

ADD FROM IP SCANNED RANGE

This option will open up the IP Scanner (see "IP Scanner Dialog" on page 223) to scan TCP/IP Address Ranges for systems that respond to the currently logged on credentials. Once the ranges are defined systems found, use the IP Scanner's export options to add systems to system sets.

As this feature successfully contacts each machine on the list it inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added.

IMPORT/EXPORT SYSTEMS LIST

There are following methods listed under the SystemsList | Import/Export Systems List menu item to import or export systems lists:

(36)



Import System List from Text File



Export System List to a Text File

These methods make it easy to import systems lists from text files. An import will require a previously created list of systems that is properly formatted. Properly formatted text files of systems lists have one system name per line.

(37)

ADDING SYSTEMS TO A DYNAMIC MANAGEMENT SET

A Dynamic Management Set is a set which contains all the systems found in one or more ranges. The range can be any combination of IP address ranges, domains, active directory containers, database queries, or explicit inclusions. This range can be further customized by the use of operating system filtering options. The following diagram illustrates the various different ranges that can all be used within a dynamic set. For this dynamic set, the system list will include systems found in all of these ranges. Because the system list for a dynamic management set is pulled dynamically from a range, the set can stay in sync with a changing network configuration without user intervention.

The list of systems in a dynamic set is re-scanned on a recurring (customizable) interval. A dynamic set may be configured to add any new systems found in the range to the set and/or release systems from the set that are no longer in the inclusion range. The following diagram, depicts the flow of events in the cycle of a dynamic management set.

(38)

The purpose behind dynamic management sets is to create a set that will dynamically update its system list to match the current state of the managed range, without having to manually add and remove systems when the network is reconfigured. By default, Dynamic sets are checked every 30 days for new systems in the network configuration and old systems which have lost contact are removed after 90 days of inactivity. Additionally, systems may be removed from the set if they are not found within the range after a re-scan.

An example of a dynamic system set would be a dynamic system set managing the domain MyDomain. After setting up the domain to be scanned every ten days in the options page, the program will scan the range and add all systems in the MyDomain to the systems list for the set. During the month, three systems are removed from the domain and four new systems are added. At the start of the next month the product will refresh information for all the systems on MyDomain. The Windows domain

(39)

membership has changed, but the system set will have synchronized automatically. The dynamic system set has been scanning the domain for membership every 10 days and already has the current system list for MyDomain.

To create a dynamic system set click on Add System Set from the System Set menu in the main dialog or select then choose Custom Management Set. Each aspect of the dynamic set is described in the following sections.

Enter a unique name for a new system set.

The other available configuration options for dynamic sets are:



A comment.



A range for the dynamic set using one or more of the following: Domains, IP Address Ranges, Active Directory Paths, and Data Sources.



An Explicit Inclusions entries list for systems to be included that may be outside of the range.



An Explicit Exclusion entries list for systems that will be in the range but should not be managed.



Filter Options to limit set membership to specific names of systems, operating system versions, or system types.



Options to specify how often the range is scanned for new systems and under which conditions old systems should be removed from the set.

(40)

DYNAMIC SET NAME AND COMMENT

Shown below is the Name/Comment tab.

Specify a name for the set and an optional comment. These properties are identical to their simple set equivalents. Use any characters desired to specify set names except "\\".

(41)

DYNAMIC SET DOMAINS

Shown below is the Domains tab. Use this tab to add domains by the domain's NetBIOS name (NT style). If the domain in question is an Active Directory domain, use the Active Directory Paths tab instead.

(42)

Add new domains to the dynamic range by clicking the box button in the upper-right of the list control. Either manually enter the name of the domain, or browse for domain names using the "..." button. It is also possible to specify a system to get a list of trusted domains.

(43)

DYNAMIC SET IP ADDRESS RANGES

Shown below is the IP Address Ranges tab. Use this tab to scan a range of IP addresses to find systems.

Add new IP Address ranges to the set by clicking the box button in the upper-right of the list control. For help on how to specify IP Address ranges, see the IP Address Entries Section of the IP Scanner chapter. Any systems found within the IP range that authenticate will be included in the dynamic set. Only systems that respond are added to the set through the IP Scanner. Systems that are off-line will not be added to the set through the IP Scanner.

DYNAMIC SET ACTIVE DIRECTORY PATHS

Shown below is the Active Directory Paths tab. The Active Directory Paths tab is used to include and subsequently exclude systems from the management set. Use this tab to add entire Active Directory domains, or portions of the domains such as OUs and containers. The exclude path is actually a subset of

(44)

the include path. If it is desired to exclude systems that would otherwise be included from the management set, then add those systems to the Explicit Exclusions tab.

(45)

Add new Active Directory paths by clicking the box button in the upper-right of the list control. Systems found using these paths will be included in the dynamic set. Add as many LDAP paths as desired.

Click the ellipses (...) to the right of the LDAP Path field to browse Active Directory. If unable to browse Active Directory, type in the name of a domain controller in the Active Directory field followed by the path to the container that should be included.

When creating systems lists, the Filter Options [tab] can be utilized to look for specific names or

operating system versions. Using this process, quite a bit more bandwidth than is necessary is utilized if the systems being looked for are to be found in AD. The reason this is an expensive operation, is that using the filtering options tab, each system must contacted to determine if it meets the criteria defined on the 'Filter Options' tab. In total, it means the systems list is derived from AD first and then imported into the systems list. Then a series of secondary connections are made to the target systems to identify if the system meets the filtered list of criteria. The systems list is then re-filtered to contain only systems that meet the filter. The larger downside is that if a system is off-line during this operation, this process

(46)

cannot be performed and thus the system will remain in the systems list and potentially be managed if the list is not updated prior to the job running.

If everything is in AD, the best practice is to use a custom LDAP query to aid in finding and filtering for systems. The most obvious benefit is the cost of this query: a single LDAP query to one domain controller to obtain all the information needed without ever contacting the target systems or performing post filtering for each system in the systems list.

When generating an LDAP query, be aware of how the query is formed – the rules follow those of regular expressions but the syntax is slightly different.

* = anything, any number of characters. As in “joe*” would return joe, joey, joe1234567890”, etc. ? = single character. As in “jo?” would return “joe, joy, jot” etc.

| (pipe) = or & = and ! = not

Single expressions are all grouped with parenthesis. For example: (objectCategory=computer)

Would return every computer at the target LDAP container.

To include multiple expressions, join them with an “&” and a set of parenthesis. For example, to find all computers whose account name started with LA:



All computers = (objectCategory=computer)



Name starts with LA = (sAMAccountName=LA*) Would be written as:

(&(objectCategory=computer)(sAMAccountName=LA*))

To include multiple expressions, join them with an “&” and a set of parenthesis. For example, to find all computers whose account name started with LA, but excludes Windows 2003 systems:



Name starts with LA = (sAMAccountName=LA*)



Windows 2003 Operating System = (operatingSystem=Windows Server 2003) Would be written as:

(&(&(objectCategory=computer)(sAMAccountName=LA*))(!(operatingSystem=Windows Server 2003)))

To include multiple expressions, join them with an “&” and a set of parenthesis. For example, to find all computers whose account name started with LA, but excludes Windows 2003 or Windows XP systems:

(47)



Name starts with LA = (sAMAccountName=LA*)



Windows 2003 Operating System = (operatingSystem=Windows Server 2003)



Windows XP Operating System = (operatingSystem=Windows XP) Would be written as:

(&(&(objectCategory=computer)(sAMAccountName=LA*))(!(|(operatingSystem=Windows Server 2003)(operatingSystem=Windows XP))))

Break apart the last query to see the steps a little easier - (& (& (objectCategory=computer)(sAMAccountName=LA*) ) (! (|

(operatingSystem=Windows Server 2003) (operatingSystem=Windows XP)

) ) )

Queries can be much more or less complex than what is shown here. Any attribute present in Active Directory may be used for a possible query. Three additional and useful computer filters are:



Disabled account: userAccountControl:1.2.840.113556.1.4.803:=2



Domain Controllers: userAccountControl:1.2.840.113556.1.4.803:=8192



Global Catalogs: (&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1)) To find all computers and exclude all disabled computer accounts:



Disabled account: (userAccountControl:1.2.840.113556.1.4.803:=2) Would be written as:

(48)

(&(objectCategory=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

DYNAMIC SET DATA SOURCES

Shown below is the Data Sources tab of the Dynamic Set sheet. Use this dialog to query an existing database to return a list of systems to manage.

To add queries to the list, click the box in the upper-right corner of the list. Add entries to this list using the following dialog. Either supply a specific connection string or click the ellipses (...) to begin a

(49)

Note, if the option of Allow manual editing of connection string is selected and the database connection is performed using an explicit account rather than Windows integrated authentication, the password will be shown in clear text.

Supply a properly formatted query to return the desired system names; only the system names should be returned from the query. Each resulting row from the query is expected to contain one value, which is the name of a system to be included in the set.

(50)

DYNAMIC SET EXPLICIT INCLUSIONS

Shown below is the Explicit Inclusions. Use this tab to manually define entries that should always appear in this set.

Using Explicit Inclusions, specify one or more systems by name that will be included in the set whether or not they are discovered by other means.

Example: System ASQL01 is added to the Explicit Inclusion list. When the domains, IP address ranges, and Active Directory paths (which make up the dynamic set range) are scanned and the system ASQL01 is not found in those ranges, the system ASQL01 is still added to the system list of the set. When the set is refreshed, the system ASQL01 will not be removed from the set unless it has been removed from the Explicit Inclusions list (or placed on the Explicit Exclusions list). Systems placed on both the Explicit Inclusions list and Explicit Exclusions lists will be excluded from the set.

(51)

DYNAMIC SET EXPLICIT EXCLUSIONS

Shown below is the Explicit Exclusions tab. Use this tab to manually define systems which should always be excluded from the set regardless of any other discovery or inclusion properties.

Using Explicit Exclusions, a set of systems that will never be included in the set, even if they are within the discovery range, can be defined. Use this option to prevent the accidental addition of certain sensitive systems to the list, such as domain controllers or servers.

Example: System SERVER is the domain controller for the domain MyDomain. System SERVER should not be managed using the tool, but it is part of the MyDomain domain, which is part of the dynamic set range. The system SERVER is added to the Explicit Exclusion list. When the set is refreshed, SERVER will be found in the MyDomain domain, but SERVER will not be added to the list of managed systems even though it is included within the domain. Subsequent refreshes of the set will not cause SERVER to be added to the list of managed systems until it is removed from the Explicit Exclusions list. Systems placed on both the Explicit Inclusions list and Explicit Exclusions lists will be excluded from the set.

(52)

DYNAMIC SET FILTER OPTIONS

Shown below is the Filter Options tab. Use this tab to filter systems by their role, operating system, or name. This option may be used to filter any and all of the other inclusion criteria such as Domains, IP Address Ranges, etc. However, it is not recommended to use this tab when including systems from Active Directory. Specifically, Active Directory stores all of this information already. Using this dialog will force the product to add all systems found from Active Directory, then subsequently attempt a

connection to each system to see if it meets the filter criteria. This can cause a job that could be performed in a single 20 second query to AD to take 10-15 minutes to complete. When using Active Directory paths, it is recommended to use a custom LDAP query to filter systems by name, role, or operating system type.

Filter Options allows specifying a system name filter string (when scanning for new systems), system type matching, and OS version matching. System names which do not match the filter will be excluded from the set. The filter string can include one or more "*" as wild cards for matching systems. Do not

(53)

use "?" to specify a single character wild card. Only system names which match all filter criteria will be included in the set, all other systems will be filtered out.

When using filter options, this tool will attempt a connection to the identified system in order to determine what operating system version it is. If the filter options are left in their default state (or reverted if changed) when creating sets, the tool will not attempt a connection to the system when it adds it to the set. This means a dynamic set with filter options enabled will take longer to update its systems list than will a dynamic set not using filter options.

Example: Manage all the systems that contain 'SALES', such as SALES1 and WORKSTATION_SALES. by specifying a name filter of "*SALES*".

DYNAMIC SET OPTIONS

Shown below is the Options tab. This tab defines how often the set will automatically update and if it will remove systems from the set automatically.

(54)

These options handle the automatic addition/removal of systems to or from the set. Adjust how often the program checks the range of the set for new systems to add to the set by selecting the Update management set every option.

If the Update management set every option is not checked, the set must be manually refreshed by selecting Update System Set from the SystemsList menu.

The first two options deal with removal of systems from the set. If the first option is selected and a computer is no longer found in the configured ranges it will be removed from the dynamic set. If the second option is selected and a system has not been contacted for 90 days, it would be automatically removed form the list.

For example: The set is configured to include all systems from

LDAP://dctr/ou=wks,dc=mydomain,dc=com. When the set was first configured the list, there were three hundred systems in the OU. Today, 20 of those systems were decommissioned and removed form that OU. With the first option selected, when the dynamic set updates the systems list, those 20 systems would be removed from the systems list as well. Without the first option selected, they would continue to remain in the list indefinitely or if the second check box is selected, once they have not been

contacted for 90 days.

CHANGE MANAGEMENT SET PROPERTIES

After a management set has been created, it may be necessary to change the properties of that set. For a simple set, this means simply changing the name and/or comment; for a dynamic set, these properties include the scan ranges, inclusion and exclusion lists, scan options, and filter options. There are three ways to change the comment field for a set:

(55)



Select the management set and click Management Set Properties from the Groups menu.



Select Management Set Properties from the context menu (right-click menu) for the groups list.



Select Management SetProperties from the SystemsList menu in the Manage Systems dialog. Doing any of these in conjunction with a simple management set will display the dialog shown below. Changing the properties of a dynamic management set will open the full dynamic management set property page. For more information about Dynamic management set , see Dynamic Management Sets (see "Adding Systems to a Dynamic Management Set" on page 30).

(56)

IMPORT MANAGEMENT SETS

This tool offers various ways to create sets of machines to administer:

1) Import from a comma-delimited file.

2) Import from an ODBC data source.

3) Import from scanned IP ranges.

4) Restore management sets from a Regedit file.

5) Import from a Remote License Server.

IMPORT FROM A COMMA-DELIMITED FILE

This tool allows importing lists of systems from CSV files. This means that it is possible to store system lists in a text file or generate a system list from another program and then load it into a management set. To import from a comma-delimited file, simply select the directory and file name of the file containing the system list and click Open.

A properly formatted text file will contain comma-delimited data in three columns:

1) The management set name

2) The management set comment

3) The machine name

(57)

IMPORT FROM ODBC DATASOURCE

Many organizations are more than happy manually setting up system sets and populating those system sets manually from domain or browse lists. On the other hand, large companies that have a constantly changing inventory of machines under management will find manual methods cumbersome. The ODBC import capability allows this program to set-up its management sets and machine members from a database of systems. Source databases can be comma-delimited files, Excel spreadsheets, and SQL Server databases. In fact, almost every database today has an ODBC interface that is compatible with this program.

To use this feature, system set data should be located in three columns within the data source: one column for corresponds to set name, another to set comment, and a third to system name.

GETTING STARTED

Before using this feature, permission to access to the database containing the information is required. Next, set up a ‘data source’ (also known as a DSN). This is under administrative

tools. Lastly, identify which table contains the system set and machine name information as well as the column names for that information.

Remember that the machine name must be the NetBIOS machine name or the TCP/IP address (although this is not nearly as friendly).

The last part is to set up the program to perform the import and create a little snippet of SQL code to do the retrieval.

(58)

Below is the ODBC dialog:

Each part of the dialog and example steps to set up a simple interaction is described below. Set the Database Connection String (on page 52)

SQL Statement (on page 53)

(59)

SET THE DATABASE CONNECTION STRING

Click on the button ‘…’ to the right of the Database Connection String entry field. Select the tab for Machine Data Source.

If the data source is already configured, select it from the list and click on the OK button. If the data source is not created, click on the New button.

Using the wizard, create a data source to point to the database. This will involve picking a device driver, giving the data source a name, and finding it (attaching to it). Make sure an ODBC compatible data source is configured.

When all of the steps are completed correctly, the database connection string will become available: DSN=SYZCORP;DBQ=D:\SysMgr\xyz.mdb;DriverId=25;FIL=MS Access;MaxBufferSize=2048;PageTimeout=5;

(60)

SQL STATEMENT

Now write a simple piece of SQL code into the ‘SQL Statement’ field. This is nothing more than a single line of text that tells the ODBC driver what table to use in your database as well as which fields to retrieve. The format of the code is:

Select "field1", "field2", "field3" from Table

Optionally, add a second line containing a qualifier such as: Select "field1", "field2", "field3" from Table

Where Table.field4 = ‘Windows NT’

or other such qualification to make sure that only the correct records are retrieved. The returned fields are used as follows:

field1 – Group Name field2 – Group Comment

field3 – Machine Name or IP Address

When retrieving data from an Excel database, put the ‘Table’ portion of the SQL statement in square brackets ‘[Table]’.

RETRIEVING THE DATA USING THE DATABASE

To execute the SQL code against the data source, click on the Get Data button. In the log at the bottom of the dialog note the statistics of the retrieval (example statistics):

Unique Groups: 244 Unique Comments: 5 Unique Machines: 1569

At the top of the dialog are the retrieved records. The retrieved records show which system sets will be created as well as the machine names that will be added to those sets. To import all of these sets and machines, click on the Apply button.

To merge into an existing system sets, leave the check box: Replace all existing sets and machines with this data unchecked. If the existing data should be purged and replaced with the retrieved data, set the box to the checked state.

(61)

IMPORT FROM A SCANNED IP RANGE

Use the IP Scanner to scan IP Ranges for systems and then use the resulting systems list to create a new management set. To perform this operation:

1) Click on the Scan IP Ranges for Systems from the Groups menu.

2) Setup the IP Scan to find the systems to include in the management set.

3) Click on Export Scanned Entries from the File menu in the IP Scanner.

4) Select an option for creating new management sets or importing into an existing management set.

5) Click OK.

The tool will state how many total machines were added to the target management set. For more information about using the IP Scanner, see IP Scanner.

RESTORE INTERNAL DATABASE FROM A REGEDIT FILE

To restore all the internal database information from a backup RegEdit file, click on Restore Internal Database from a RegEdit file from the Program menu on the main dialog. Now select the name of the backup file and the path to that file. Choose to merge the backup with the current data if new

management sets were added that should be kept, or choose to replace the current internal database with the backup which will overwrite any existing management sets. Click OK to complete the restore. Note: An appropriate serial number for the host system or remote access to a licensed system will be required.

IMPORT SETTINGS FROM REMOTE LICENSE SERVER

Import Settings from Remote License Server allows importing User Manager Pro settings from another Remote License Server onto the current machine. These settings include all program data and

configuration including management sets, preferences, logging options, alternate administrators and scheduled jobs.

(62)

BACKUP MANAGEMENT SETS

There are various ways to backup existing management sets:

1) Backup Internal Database to Regedit File.

2) Export to Comma Delimited File.

3) Export Settings to a Remote License Server.

BACKUP INTERNAL DATABASE TO REGEDIT FILE

The option to Backup Internal Database to RegEdit File will save all the internal management sets and settings to a regedit file. Specify a path and a file name for the new backup file. This to backup may be used to backup program settings or transfer settings from machine to machine.

Backup the program management set database (program management sets and system information) to a regedit file. If using the random password generator add-on, it is possible to backup just the stored password portion of the program database. This operation can also be scheduled. The backup will be scheduled as an AT task on the local machine with default AT task settings.

EXPORT SYSTEM SETS TO A COMMA

To backup all program information including management sets to a CSV file, choose the Export to Comma-Delimited File from the System Set menu on the main dialog. This will save the system list database to a comma-delimited text file. Specify a path and a file name for the new backup file. The text file is human readable and can be used to backup system sets for disaster recovery or to transfer set information from one computer to another.

(63)

EXPORT SETTINGS TO REMOTE LICENSE SERVER

When using remote licensing (license sharing) the management sets and other settings are not

automatically shared between all of the management consoles. To push or pull settings between remote license servers, go to the Groups menu on the main dialog and select either Export settings to remote license server. If Importing from the remote license server, use the Import settings from remote license server. This option will only be available when remote licensing is in use.

This will copy all the program settings to the Remote License Server. The local machine must be connected to the remote system specified in the Registration dialog. When using this option, all information regarding management sets, machine information and more will be sent to the remote system. This will update any existing management sets and system information that are on the remote license server. This operation will not remove any additional management sets or system information that are found only on the remote system. This feature can be used to synchronize management set information between multiple administrators that work on the same sets of systems from different physical locations.

Admin Guide. Version Lieberman Software Corporation

Admin Guide

Version 7.50

CONTENTS

IN THIS CHAPTER

OVERVIEW

PREREQUISITE KNOWLEDGE

PERFORMANCE NOTES

LICENSE AGREEMENT

LIMITED WARRANTY

IN THIS CHAPTER

MAIN DIALOG PULL-DOWN MENUS

























































MANAGED SYSTEMS LISTS

IN THIS CHAPTER

CREATE MANAGEMENT SETS





















EXCLUSION LIST

ADDING SYSTEMS TO A SIMPLE MANAGEMENT SET















ADD FROM DOMAIN SYSTEMS LIST

ADD FROM NETWORK BROWSE LIST

ADD FROM SHELL NETWORK BROWSE LIST

ADD SYSTEMS MANUALLY

ADD FROM ACTIVE DIRECTORY

ADD FROM IP SCANNED RANGE

IMPORT/EXPORT SYSTEMS LIST





ADDING SYSTEMS TO A DYNAMIC MANAGEMENT SET













DYNAMIC SET NAME AND COMMENT

DYNAMIC SET DOMAINS