RED Services Management

Size: px

Start display at page:

Download "RED Services Management"

Anabel Gilmore
5 years ago
Views:

1 Admin Guide RED Services Management Version 8.1.1

2 Copyright Lieberman Software Corporation. All rights reserved. The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If there are any problems in the documentation, please report them to Lieberman Software in writing. Lieberman Software does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software. Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other brands and product names are trademarks of their respective owners. Lieberman Software Corporation 1875 Century Park East, Suite 1200 Los Angeles, CA (310) Support: Website:

3 iii Contents CHAPTER 1 INTRODUCTION Overview Prerequisite Knowledge Performance Notes License Agreement Limited Warranty... 4 CHAPTER 2 PRODUCT INSTALLATION Installation Prerequisites Port and Program Requirements RED Services Management Installation Database Options Database Settings...13 CHAPTER 3 MAIN DIALOG Main Dialog Pull-down Menus...21 CHAPTER 4 MANAGED SYSTEMS LISTS Create Management Sets Exclusion List Adding Systems to a Simple Management Set Add From Domain Systems List Add From Network Browse List Add Systems Manually Add From Active Directory Browse Options Add From IP Scanned Range Import/Export Systems List Adding Systems to a Dynamic Management Set Dynamic Set Name and Comment Dynamic Set Domains Dynamic Set IP Address Ranges Dynamic Set Active Directory Paths Dynamic Set Data Sources Dynamic Set Explicit Inclusions Dynamic Set Explicit Exclusions Dynamic Set Filter Options Dynamic Set Options...60

4 iv Contents 4.5 Change Management Set Properties Import Management Sets Import from a Comma-Delimited File Import from ODBC Datasource Set the Database Connection String SQL Statement Retrieving the Data using the Database Import from a Scanned IP Range Restore Internal Database from a RegEdit file Backup Management Sets Backup Internal Database to RegEdit File Export Systems List to a Comma-Delimited File Delete Management Set Delete Internal Database...70 CHAPTER 5 MANAGE SYSTEMS DIALOG Manage Systems Dialog Manage Systems Pull-Down Menus Context Menu Shortcuts (Right Click Menu) Viewing Options Filter Services List Manage Systems Dialog Systems List Columns System Name Resolution Selecting Machines Highlight Lists Refresh Info (Get Role/Version) Internal Service Configuration Information Update Management Set Stop Current Operation Remove Systems from Management Set Generate Report on Systems in Management Set...89 CHAPTER 6 OPERATIONS Restarting/Stopping/Starting a Service Manage Service Properties Run Process Options Logon Cache Values Apply New Service Account Settings Change Service Startup Type Config Options Service Failure Recovery Settings...106

5 Contents v Security Descriptor Install Service Install Service Systems Install Service Service Configuration Install Service Service File Copy Install Service Logon Information Remove Services Miscellaneous Operations Send Message Reboot Highlighted Systems Job Results Dialog Finding Services Missing from Systems CHAPTER 7 IP SCANNER DIALOG IP Scanner Menu - File Import Subnet List Export Scanned Entries IP Scanner Menu - Options Thread Maximum Override IP Scanner Menu - Scan Subnet IP Scanner Menu - Report Generator IP Scanner Menu - Alternate Administrators Administrator Accounts Menu - Add IP Scanner Menu - Exclusion List Systems Excluded From all Operations Vulnerability Testing CHAPTER 8 ALTERNATE ADMINISTRATORS Administrator Accounts Editor CHAPTER 9 CONFIGURING REPORTS Report File Output Type HTML Edit Dialog Post-Generation Action Configuring Server Settings SMTP Settings: General SMTP Settings: SMTP Logging SMTP Settings: Outgoing Server CHAPTER 10 DEFERRED PROCESSING Scheduling Options...164

6 vi Contents 10.2 Jobs Monitor Dialog Jobs Monitor Menu Items Editing a Job Job Scheduler Service Installation Job Scheduler Log File Dialog Job Scheduling Check Interval CHAPTER 11 REMOTE CONTROL Setting up VNCPass Open VNC Connection VNC Options Import Settings from a.rcm File Install/Remove VNC on System Start/Stop/Restart the VNC service Set VNC Password CHAPTER 12 PROGRAM SETTINGS General Options Logging Options Registration Dialog Use Remote License License Token Assignment About Logon Information Dialog CHAPTER 13 REVISION HISTORY CHAPTER 14 INDEX

7 1 Chapter 1 Introduction This chapter includes an overview of what Lieberman RED Services Management's goals are, knowledge that users are assumed to have, some background information on Lieberman RED Services Management's multi-threaded nature and performance information, and how the program works in Windows. Also in this chapter you can find directions to the License Agreement and a copy of the limited warranty agreement that come with the software. IN THIS CHAPTER Overview... 1 Prerequisite Knowledge... 1 Performance Notes... 2 License Agreement... 3 Limited Warranty OVERVIEW Welcome to Lieberman RED Services Management. If you have purchased the product, read on to discover all the features at your disposal. If you are just evaluating the product, we hope you will be very pleased with its capabilities. Lieberman RED Services Management allows you to simultaneously manage virtually every aspect of your Windows services on Windows systems. You can retrieve/change service account names and passwords, remotely start/stop services, manage service dependencies, manage service security, and more. 1.2 PREREQUISITE KNOWLEDGE Before we begin, we assume that you are already an experienced Administrator for Microsoft Windows. You should be familiar with basic networking, services, and typical administration tasks. More advanced operations may require more specialized knowledge. RED Services

8 2 Introduction Management is designed to make administration tasks quick and easy for the skilled administrator; not to teach administration. If you have problems or need assistance in the installation and operation of this product, you can contact us for assistance - we want your installation and operation to be a smooth and successful experience. If you plan on using a SQL Server installation or SQL Express for your program's data store, rather then the local registry, we recommend that you be familiar with the administrative concerns that go along with updating and maintaining an instance of SQL Server (or have a database administrator that is familiar with these issues). Topics that you should be aware of include: Securing the database, creating access roles to allow access to your users, patching the database and keeping up to date with updates, backing up/or and auditing the database to ensure you don't lose your stored data. 1.3 PERFORMANCE NOTES Service account control in Windows was always designed for remote administration and Microsoft does provide a tool for remote service administration using the services snap-in. However, the services snap-in only works with one system at a time. What we have done is expanded on the services snap-in by creating a tool that concurrently administers services across all of the Windows machines in your organization using a single interface screen. We also exploit Windows' multitasking ability by spawning large numbers of threads so that each machine under control has a thread dedicated to its management. The addition of multi-threading drops administration times by many orders of magnitude--making an impossible job now fast and easy. RED Services Management is a multi-threaded management system (by default RED Services Management will use up to 100 worker threads). The software will automatically exploit all available processors to enhance the performance of the program. RED Services Management operations utilize only moderate network bandwidth, and do not exceed the bandwidth requirements of comparable operations using built-in Windows tools. When operating over a WAN (Wide Area Network), you will see some degradation in overall completion times due to packet transmission delays. Because of RED Services Management's multi-threaded operation, communication with many systems will be happening concurrently, so network delays will not be cumulative. If you chose to cancel multi-threaded operations in RED Services Management, you must wait for all running threads to complete or time-out before performing another operation. There is almost always an on screen indicator that shows that current number of active threads.

9 Introduction LICENSE AGREEMENT This is a legal and binding contract between you, the end user, and Lieberman Software Corporation. By using this software, you agree to be bound by the terms of this agreement. If you do not agree to the terms of this agreement, you should return the software and documentation as well as all accompanying items promptly for a refund. 1. Your Rights: Lieberman Software hereby grants you the right to use a single copy of the Lieberman RED Services Management to manage the licensed number of systems. This software is licensed for operation on only one machine unless other license arrangements have been made in writing between Lieberman Software and your organization. 2. Copyright. The SOFTWARE is owned by Lieberman Software and is protected by United States copyright law and international treaty provisions. Therefore, you must treat the software like any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes. The manual is a copyrighted work also--you may not make copies of the manual for any purpose other than the use of the software. 3. Other Restrictions: You may not rent, lease, or transfer the SOFTWARE to any other entity. You may not reverse engineer, de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If the SOFTWARE is an update, any transfer must include the update and all prior versions. 4. Notice: This software contains functionality designed to periodically notify Lieberman Software of demo usage and of the detection of suspected pirated license keys. By using this software, you consent to allow the software to send information to Lieberman Software under these circumstances, and you agree to not hold Lieberman Software responsible for the use of any or all of the information by Lieberman Software or any third party. Lieberman Software Corporation 1875 Century Park East, Suite 1200 Los Angeles, CA Support: Website:

10 4 Introduction 1.5 LIMITED WARRANTY The media (optional) and manual that make up this software are warranted by Lieberman Software Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of your purchase. If you notify us within the warranty period of such defects in material and workmanship, we will replace the defective manual or media (if either were supplied). The sole remedy for breach of this warranty is limited to replacement of defective materials and/or refund of purchase price and does not include any other kinds of damages. Apart from the foregoing limited warranty, the software programs are provided "AS-IS," without warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the programs or documentation of/for consequences of any such errors. This agreement is governed by the laws of the State of California. Should you have any questions concerning this Agreement, or if you wish to contact Lieberman Software, please write: Lieberman Software Corporation 1875 Century Park East, Suite 1200 Los Angeles, CA You can also keep up to date on the latest upgrades via our website at or us at: sales@liebsoft.com.

11 5 Chapter 2 Product Installation This section outlines each step in the process of installing the software on your machine. This section also includes instructions for upgrading the registry size because this may be required in order to use Service Account Manager. IN THIS CHAPTER Installation Prerequisites... 5 Port and Program Requirements... 5 RED Services Management Installation... 6 Database Options INSTALLATION PREREQUISITES 1) This program must be run on Windows 2008 R2 or later. The program can be run from any machine on your network. We recommend installation on a machine that has at least 1GB of RAM and at least 500 Megabytes of free disk space available. You will need a screen resolution of at least 1024x768 to see all of the dialogs. 2) Administrative Privileges are required to run the software. We recommend that you use a domain administrator account for all of your activities. 3) Microsoft SQL Server 2008 or Microsoft SQL Express 2008 or later is highly recommended for the program datastore. 2.2 PORT AND PROGRAM REQUIREMENTS Below is a list of the ports that can be used by features of Service Account Manager. Port 137, 138, NetBIOS Name Service ports. This service handles file and folder sharing between Windows Machines. These ports are required for User Manager Pro to function properly. Port Alternate NetBIOS Name Service port (Win2K, XP, 2003). This port is not required as long as unless the normal NetBIOS Name Service ports are closed (137, 138, 139). Be aware that this alternate port for the NetBIOS Name Service will not work on Windows NT 4.

12 6 Product Installation If the machines you are managing are all Windows 2000 and later, you may safely disable NetBIOS over TCP/IP with limited side effects: subnet mask/mac address retrieval may fail use of DHCP/Static IP configuration usage may fail You must also ensure that the following items/services are installed and enabled: remote registry service file and print sharing for Microsoft networks 2.3 RED SERVICES MANAGEMENT INSTALLATION Launch the installer and follow the prompts to select an installation directory and other options. RED Services Management will launch automatically after installation.

13 Product Installation 7 Click Next on the welcome screen.

14 8 Product Installation Read and accept the license agreement to continue the installation, then click Next.

15 Product Installation 9 Choose the installation location. RED Services Management will install to the Service Account Manager sub-folder under that location. Click Next to continue.

Enter a customer name and the company's name.

16 10 Product Installation Click Install to perform the installation. Click Finish to complete the installation and launch the product. Click OK to enter licensing information. Enter a customer name and the company's name. If demoing this product, leave the default serial number alone or enter a new demo key. This included key is a limited evaluation key specific to your system that is valid for 10 systems and 30 days from the time of installation.

17 Product Installation 11 The registration code may be [re-]entered at any time by selecting Help Register from the main dialog.

18 12 Product Installation Click OK to continue. If a commercial key has been provided, replace the demo key with it and click OK. A message box indicating successful registration will be presented. At this point, RED Services Management will open its main dialog. Now configure RED Services Management to use a database for its reporting functions or create a group of systems (a management set) to manage.

19 Product Installation DATABASE OPTIONS Most program data is stored in the registry of the local machine. If the size of this data grows too large, the performance of the machine can suffer. Storing data in the local registry also represents a significant obstacle for remote distributed access/operations. For these reasons, the product will be configured to store reporting information in a Microsoft SQL 2008 and later database. The database is only required for reporting operations. The database is not required for management operations. SQL Server 2008 or later SQL Server is the preferred database storage solution for our tools. It has the best performance of all the database solutions which are supported, and has easy-to-use configuration and management utilities. However, installations of SQL Server can be expensive, so this might not be a feasible solution for small and mid-size organizations. To use SQL Server, use an existing installation. This product can create a new database on the server for the program to use if the user or SQL account has appropriate permissions to do so. If the database is set up to use explicit authentication the username and password of a login account with read, write, ddl_admin, execute, and create tables access to the database. SQL Express SQL Express is the free version of SQL Server without the administrative tools and with the number of connections and database maximum size limited Database Settings To configure the product to use a SQL/SQL Express database for its datastore, go to the Settings Data Store Options menu. When the program is first opened, it will be configured to use the registry for its main datastore. This default setting is provided to use and configuration of the tool with minimal effort and may be suitable for organizations with a very small number of computers. To improve performance, scalability, durability, and use all features of the tool, you should configure the use of SQL or SQL Express.

20 14 Product Installation To configure the product to use SQL as its main datastore, select the option for SQL Server.

21 Product Installation 15 Configure SQL options.

22 16 Product Installation In this dialog, the following items must be configured: Database Provider: OLEDB Provider: SQL Server (default MDAC provider). Server Name: If connecting to a named instance of SQL or SQL Express use the format ServerName[\InstanceName] or ServerName[,PORT###] to specify the database server name or server name as a named instance or server name on a custom port (exclude the left and right brackets!). Click Manage Database Instances to create a new empty database to connect to. Authentication Information: choose between using Windows Integrated Authentication (current run-as user) or Use database native authentication mode (SQL database user account). If using a MS SQL database, a custom schema can [and is highly recommended to] be chosen. This ensures that the program will call for fully distinguished table names rather than relative table names. This is especially important when integrated authentication is being used and not all users have the same DBO/sysadmin rights over the database or server. Once a server name and connection authentication mode are selected, use the Test Connection button to test the connection to the database. Other optional items include... Encrypt communication with database - Enable the use SSL when connecting to the database. SSL connection encryption is available to SQL Server 2008 or later. There are further implications to consider when using SSL with the database; the database server must be configured to use SSL and all parties must trust the server certificate. Refer to your Microsoft SQL Server documentation. Add additional connection string parameters - use this option to add additional connection string parameters to the currently derived (default) connection string. Override settings - use custom connection string - do not use the derived connection string and provide your own connection string. Set explicit connection limit - Set the allowed/preferred connection limit. This will limit the number of simultaneous connections to the database. If this is not done, it is possible to slow down the performance of the solution or worse cause connection timeouts waiting on threads that will never return information because the database cannot handle as many threads as will be spawned. Overwrite the default database timeout value - The value in seconds for the database connection timeout. Shorter timeouts may cause long running queries to be terminated prematurely while values that are too long may let queries that will never finish to hold up the

23 Product Installation 17 entire process. Leave the box unchecked to use the default timeout of the OLEDB provider which is typically 30 seconds. When finished configuring the database settings, click OK to save the settings and return to the main console. The product will verify that it can connect to the database specified in the settings and that all the table formats are current and correct. If a connection cannot be made or if the database format is not correct, an error message indicating the problem will appear.

25 19 Chapter 3 Main Dialog The initial screen of Lieberman RED Services Management presents you with a list of machine groups that can be managed. These groups will contain the systems on which you want to perform operations. You can create an unlimited number of machine groups based on the topology of your network. Many customers create groups for PDCs, BDCs, Servers, Workstations, different physical locations, and LAN/WAN sites. The advantage of machine groups is to present you with systems organized the way you do your administration.

26 20 Main Dialog There are two different types of management sets in RED Services Management, Adding Systems to a Simple Management Set (on page 29) and Adding Systems to a Dynamic Management Set (on page 42). Simple management sets have static membership lists while dynamic management sets are defined by ranges where all systems within those ranges are included in the list. Dynamic management sets can be used to manage a set of systems that are defined by a domain, an Active Directory OU, or a specific IP address range, where the actual systems in that may vary. Initially there are no machine groups, so you will need to Create Management Sets (on page 24), and then proceed with Adding Systems to a Simple Management Set (on page 29), followed by reporting on and/or making changes to those same systems. On the bottom right side of the screen, you can see the License Mode. Local Machine means you are running a license keyed for your local machine. If the entry is Remote: ServerXXX you are sharing the license key from the ServerXXX (one of your machine names) machine. On the bottom left side of the screen are options to manage your groups. Activate launches the management interface of the selected group, Add creates a new simple group to manage, and Delete deletes the (highlighted) group(s) from your list of managed groups.

27 Main Dialog 21 IN THIS CHAPTER Main Dialog Pull-down Menus MAIN DIALOG PULL-DOWN MENUS SETTINGS General Options - Set up the general program options like threading, wait time, and process order. Logging Options - View, print, or change the save location of Lieberman RED Services Management's log file. Program Datastore Options - Configure Lieberman RED Services Management to use the registry or a SQL database as its reporting datastore. PROGRAM Backup Internal Database to: Binary, RegEdit File - Copies the entire internal database used by the program to a RegEdit file. Restore Internal Database from: Binary, RegEdit File - Restores the entire internal program database from a RegEdit file. Import Previous NT SAM 2.0 Settings - Manual upgrade from an existing 2.0 installation. Delete Internal Database - Removes the internal program database from the registry. GROUPS Import from Comma-Delimited File - Updates groups/machines database from a comma-delimited backup file. Import from ODBC Datasource - Updates the list of systems, groups from an ODBC datasource. Export to Comma-Delimited File - Copies the groups/machines database to a comma-delimited file. Activate Selected Group - Open the currently selected group in the Manage Service Group dialog. Add Simple Group - Creates a new empty group. Add Dynamic Group - Creates a new empty dynamic group.

28 22 Main Dialog Remove Selected Group - Remove a group of machines from the internal database. Group Properties - Change the name of a group or change the group comment. DEFERREDPROCESSING Jobs Monitor - Opens the Jobs Monitor dialog. Retry Policy - Opens the Retry Policy dialog to adjust handling of errors. HELP Help Contents - Displays this help file. Show Tip of the Day - Shows the Tip of the Day. License Keys - The License Token Dialog allows you to assign or release license keys to systems. Register - Allows you to enter registration information. Logon Info - Displays your current logon information. Revision History - Displays the product's revision history. Check For Updates - Checks the web for any recent updates to Lieberman RED Services Management About - Displays version, product, and license information.

29 23 Chapter 4 Managed Systems Lists Systems that will be managed are organized into lists called management sets. This allows creation of logical groupings of systems based on their type, operating system version, physical location, or any other personal organization scheme. This chapter describes how to create and manage lists of systems. A system must be located in one or more management set before performing operations on it. This chapter includes all the ways to add or remove systems from the program as well as the ways to backup system list and program data. There are multiple ways to add systems to the current management set. To access these features, either select them off the context menu (right click in the systems list window) or click on the SystemsList menu option. Add From Domain Systems List (on page 30) - This is the fastest way of adding systems that have joined a trusted domain. This uses the NT4 style domain browser. Add From Network Browse List (on page 32) - The easiest way to find machines using the network browse list. Add from Shell Browser - Add systems from the Windows shell network browser. Add Systems Manually (on page 33) - For machines that are not visible or have not joined the domain. Add From Active Directory (on page 35) - To add machines using the Object Picker under Windows 2000 and later. Add from IP Scanner - Add machines by specifying IP Address ranges or domains. Import Systems List from a Text File - Import a list of systems from a text File. Export Systems List to a Text File - Export a list of systems to a text File.

30 24 Managed Systems Lists IN THIS CHAPTER Create Management Sets Exclusion List Adding Systems to a Simple Management Set Adding Systems to a Dynamic Management Set Change Management Set Properties Import Management Sets Backup Management Sets Delete Management Set Delete Internal Database CREATE MANAGEMENT SETS System sets are used to group systems together for management purposes. Typically, system sets are created to reflect the management of subsets of systems such as "Dev Servers" or "OLTP Servers". Dynamic groups contain a variable list of systems and are built on criteria such as location on Active Directory, domain membership, or operating system type. This list of systems is updated automatically. Choose one of two ways to create a Adding Systems to a Dynamic Management Set (on page 42): Select the "Add Dynamic Group" option from the "Groups" menu. Select the "Add Dynamic Group" option from the context menu (right-click menu). Choose one of the three ways to create a Adding Systems to a Simple Management Set (on page 29): Click on the "Add" button from the Systems Group to Manage panel. Select the "Add Simple Group" option from the "Groups" menu.

31 Managed Systems Lists 25 Select "Add Simple Group" from the context menu (right-click menu). Click the Add button to begin the process of adding a management set: A simple management set that contains only the local host system. A dynamic management set that uses the local domain as the source from which to draw a list of systems. A custom Adding Systems to a Simple Management Set (on page 29) management set that has no members. Manually choose which systems to add to the management set.

32 26 Managed Systems Lists A custom Adding Systems to a Dynamic Management Set (on page 42) management set that has no initial settings. Define the criteria that the management set will use to populate itself. After selecting an option to add a new management set, additional steps may be required based on the selection. If creating a management set with only the local system, a window like the one below will open and already have the RED Services Management host system in it. If creating a management set with all the systems in the same domain as the local system in it, a windows like the one below will open with all systems from the local domain (as according to the local domain controller) will open. If creating a custom simple management set, the window below will open with no systems added. If creating a custom dynamic management set, the dynamic properties dialog will open and criteria must be provided to dynamically build the list of systems for the management set.

33 Managed Systems Lists 27 Depending on which option is chosen, you will be prompted for additional information. Please continue reading the following sections to properly configure a management set. 4.2 EXCLUSION LIST If a system may be added to a management set that should never be managed, no matter what, use the Systems Excluded from all Operations under the SystemsList menu.

34 28 Managed Systems Lists The Exclusion list allows specifying system names that this tool will not be allowed to modify or report on, no matter what. These could be servers or administrator machines, or maybe just sensitive machines. The exclusion list is program wide. Use the Add and Delete buttons to modify the list entries or use the Import List button to load a line delimited text list of systems. If making a change to a system in the list, a confirmation pop-up confirming the change will appear.

35 Managed Systems Lists ADDING SYSTEMS TO A SIMPLE MANAGEMENT SET There are various different ways to add systems to a management set manually once the set has been created: Add from domain systems list. Add from network browse list. Add from shell network browse list. Add systems manually by name Add from Active Directory Add from scanned IP ranges. Import/Export Systems List from text file. These methods are in addition to the IP Scanner and ODBC query, which can both be used to create a new management set.

30 Managed Systems Lists 4.3.1 Add From Domain Systems List Shown below is the Add from Domain List dialog.

36 30 Managed Systems Lists Add From Domain Systems List Shown below is the Add from Domain List dialog. The fastest method of adding Windows systems to this program is to inquire at the Domain Controller for the list of machines which have joined the domain. There are a few confusing cases when viewing servers in the domain list. The machine list may not represent all of the machines on the network (some machines may not have joined the domain). The list usually contains systems that have left the domain, but have not been purged from the domain database.

37 Managed Systems Lists 31 After adding machines to the Selected Systems list, use the Platform? button to verify the connectivity, credentials, and version of the selected systems. The Platform? feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added. The Platform field indicates what operating system type is running. The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing Platform?), there are columns to display the Platform, Version, Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both a Workstation and Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

32 Managed Systems Lists 4.3.2 Add From Network Browse List Shown below is the Add From Network Browse dialog.

38 32 Managed Systems Lists Add From Network Browse List Shown below is the Add From Network Browse dialog. To add a machine using the Network Neighborhood browsing architecture of the operating system, press the Insert key on the keyboard or the Browse button on the Manage Systems dialog. Information can only be populated here is the Computer Browser services are started on your systems. If the Computer Browser services are not started, no information will be present in this list. After adding machines to the Selected Systems list, use the Platform? button to verify the connectivity, credentials, and version of the selected systems. The Platform? feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as,

39 Managed Systems Lists 33 which network services (Type) are running on the machine. verify that only live appropriate systems are added. This feature is an excellent way to The Platform field indicates what operating system type is running. The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing Platform?), there are columns to display the Platform, Version, Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both a Workstation and Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation Add Systems Manually Shown below is the Add Systems Manually dialog. In cases where machines cannot be discovered, systems may need to be added manually.

40 34 Managed Systems Lists After adding machines to the Selected Systems list, use the Platform? button to verify the connectivity, credentials, and version of the selected systems. The Platform? feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added. The Platform field indicates what operating system type is running. The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing Platform?), there are columns to display the Platform, Version, Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both a Workstation and Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

Managed Systems Lists 35 4.3.4 Add From Active Directory Shown Below is the Add Systems from Active Directory dialog on the Active Directory Browse page.

41 Managed Systems Lists Add From Active Directory Shown Below is the Add Systems from Active Directory dialog on the Active Directory Browse page. The default options for the control are to show both up-level (native and mixed mode) systems, as well as, down level systems (NT). Options to search any desired domain controller or selection of a desired directory can be specified here. The Browse Options (on page 36) page is detailed in the following section.

36 Managed Systems Lists 4.3.4.1 BROWSE OPTIONS Shown below is the Browse Options page of the Add From Active Directory Dialog.

42 36 Managed Systems Lists BROWSE OPTIONS Shown below is the Browse Options page of the Add From Active Directory Dialog. The Browse Options page shows the available options to put into effect when the "Browse " button is clicked on the first page. There is typically no need to change the browse options, but if changes are made on the "Browse Options" page and then return to the first page and then click on the "Browse" button to see the results of the new options. The default options are to browse for machines in up level and down level domains to which the host system is joined. The default domain is the currently logged on user account is authenticated with and the search is performed from the local machine.

43 Managed Systems Lists 37 ACTIVE DIRECTORY BROWSE OPTIONS TARGET COMPUTER These options allow controlling where searches are to be performed. Normally these options should be ignored. Use these options to extract machine lists from foreign/non-active Directory domains. Skip Target Domain Controller Check - Set this flag if the computer is not a domain controller, to save time. However, if the machine is a domain controller, this flag would not typically be set. It is usually best to select domain objects from the domain scope rather than from the domain controller itself. Target Computer (optional) Allows specifying where to execute the search via the text entry field below the check box. Set the check box and set the field to a non-active Directory domain controller to see a list of machines that have joined that domain (The "Skip Target Domain Controller Check" should be unchecked in this scenario). If the "Target Computer" entry field is blank, the current machine is the target computer. ACTIVE DIRECTORY SCOPE OF PROVIDER SEARCH These options allow controlling which data source is to be used for the machine search. Generally, leave all of these options unchecked. Force Starting Scope as - Sets the first entry in the "Look in" drop down to the option selection. Normally the drop down will default to its own choice. Provider - These options are different data sources for searches. LOOK-IN OPTIONS Up level Joined Domain - Search the up level domain to which the target computer is joined. If this flag is set, use the "Up level Domain Controller" entry field to specify the name of a domain controller in the joined domain. Up level Domain Controller Field - This field can be blank even if the "Up level Joined Domain" is checked, in which case, the dialog box looks up the domain controller. This entry field enables specifying a domain controller in a multi-master domain. For example, an administrative application might make changes on a domain controller in a multi-master domain, and then open the object picker dialog box before the changes have been replicated on the other domain controllers. Down level Joined Domain - Search the down level domain to which the Lieberman RED Systems Management host computer is joined.

44 38 Managed Systems Lists Enterprise Domain - Search all Active Directory domains in the enterprise to which the target computer belongs. If the Up level Joined Domain check box is set, then the results represent all Active Directory domains in the enterprise except the joined domain. External Up level Domain - Search all up level domains external to the enterprise but trusted by the domain to which the target computer is joined. External Down level Domain - Search all down level domains external to the enterprise but trusted by the domain to which the target computer is joined. Workgroup - Search the workgroup to which the target computer is joined. Applies only if the target computer is not joined to a domain. User Entered Up level Scope - Enables entry of an up level scope. If neither of the "USER ENTERED " types is specified, the dialog box restricts the query to the scopes in the "Look in" drop-down list. User Entered Down level Scope - Enables entering a down level scope.

45 Managed Systems Lists Add From IP Scanned Range This option will open up the IP Scanner Dialog (on page 125) to scan TCP/IP Address Ranges for systems that respond to the currently logged on credentials. Once the ranges are defined systems found, use the IP Scanner's export options to add systems to system sets.

46 40 Managed Systems Lists

47 Managed Systems Lists 41 As this feature successfully contacts each machine on the list it inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added Import/Export Systems List There are following methods listed under the SystemsList Import/Export Systems List menu item to import or export systems lists: Import System List from Text File Export System List to a Text File These methods make it easy to import systems lists from text files. An import will require a previously created list of systems that is properly formatted. Properly formatted text files of systems lists have one system name per line.

48 42 Managed Systems Lists 4.4 ADDING SYSTEMS TO A DYNAMIC MANAGEMENT SET A Dynamic Management Set is a set which contains all the systems found in one or more ranges. The range can be any combination of IP address ranges, domains, active directory containers, database queries, or explicit inclusions. This range can be further customized by the use of operating system filtering options. The following diagram illustrates the various different ranges that can all be used within a dynamic set. For this dynamic set, the system list will include systems found in all of these ranges. Because the system list for a dynamic management set is pulled dynamically from a range, the set can stay in sync with a changing network configuration without user intervention. The list of systems in a dynamic set is re-scanned on a recurring (customizable) interval. A dynamic set may be configured to add any new systems found in the range to the set and/or release systems from the set that are no longer in the inclusion range. The following diagram, depicts the flow of events in the cycle of a dynamic management set.

49 Managed Systems Lists 43 The purpose behind dynamic management sets is to create a set that will dynamically update its system list to match the current state of the managed range, without having to manually add and remove systems when the network is reconfigured. By default, Dynamic sets are checked every 30 days for new systems in the network configuration and old systems which have lost contact are removed after 90 days of inactivity. Additionally, systems may be removed from the set if they are not found within the range after a re-scan. An example of a dynamic system set would be a dynamic system set managing the domain MyDomain. After setting up the domain to be scanned every ten days in the options page, the program will scan the range and add all systems in the MyDomain to the systems list for the set. During the month, three systems are removed from the domain and four new systems are added.

50 44 Managed Systems Lists At the start of the next month the product will refresh information for all the systems on MyDomain. The Windows domain membership has changed, but the system set will have synchronized automatically. The dynamic system set has been scanning the domain for membership every 10 days and already has the current system list for MyDomain. To create a dynamic system set click on Add System Set from the System Set menu in the main dialog or select then choose Custom Management Set. Each aspect of the dynamic set is described in the following sections. Enter a unique name for a new system set. The other available configuration options for dynamic sets are: A comment. A range for the dynamic set using one or more of the following: Domains, IP Address Ranges, Active Directory Paths, and Data Sources. An Explicit Inclusions entries list for systems to be included that may be outside of the range. An Explicit Exclusion entries list for systems that will be in the range but should not be managed. Filter Options to limit set membership to specific names of systems, operating system versions, or system types. Options to specify how often the range is scanned for new systems and under which conditions old systems should be removed from the set.

51 Managed Systems Lists Dynamic Set Name and Comment Shown below is the Name/Comment tab. Specify a name for the set and an optional comment. These properties are identical to their simple set equivalents. Use any characters desired to specify set names except "\\".

52 46 Managed Systems Lists Dynamic Set Domains Shown below is the Domains tab. Use this tab to add domains by the domain's NetBIOS name (NT style). If the domain in question is an Active Directory domain, use the Active Directory Paths tab instead.

53 Managed Systems Lists 47 Add new domains to the dynamic range by clicking the box button in the upper-right of the list control. Either manually enter the name of the domain, or browse for domain names using the ellipses ("...") button. It is also possible to specify a system to get a list of trusted domains. Type in the name of the domain controller and click Refresh. This will populate the dialog with a list of trusted domains Dynamic Set IP Address Ranges Shown below is the IP Address Ranges tab. Use this tab to scan a range of IP addresses to find systems.

54 48 Managed Systems Lists Click the New button to add a range.

55 Managed Systems Lists 49 Specify if adding a subnet or a specific start/stop IP address and add any required description. Click OK. Add new IP Address ranges to the set by clicking the box button in the upper-right of the list control. Any systems found within the IP range that authenticate will be included in the dynamic set. Only systems that respond are added to the set through the IP Scanner. Systems that are off-line will not be added to the set through the IP Scanner.

50 Managed Systems Lists 4.4.4 Dynamic Set Active Directory Paths Shown below is the Active Directory Paths tab.

56 50 Managed Systems Lists Dynamic Set Active Directory Paths Shown below is the Active Directory Paths tab. The Active Directory Paths tab is used to include and subsequently exclude systems from the management set. Use this tab to add entire Active Directory domains, or portions of the domains such as OUs and containers. The exclude path is actually a subset of the include path. If it is desired to exclude systems that would otherwise be included from the management set, then add those systems to the Explicit Exclusions tab.

Managed Systems Lists 51 Add new Active Directory paths by clicking the box button in the upper-right of the list control. Systems found using these paths will be included in the dynamic set.

57 Managed Systems Lists 51 Add new Active Directory paths by clicking the box button in the upper-right of the list control. Systems found using these paths will be included in the dynamic set. Add as many LDAP paths as desired. Click the ellipses (...) to the right of the LDAP Path field to browse Active Directory. If unable to browse Active Directory, type in the name of a domain controller in the Active Directory field followed by the path to the container that should be included. When creating systems lists, the Filter Options [tab] can be utilized to look for specific names or operating system versions. Using this process, quite a bit more bandwidth than is necessary is utilized if the systems being looked for are to be found in AD. The reason this is an expensive operation, is that using the filtering options tab, each system must contacted to determine if it meets the criteria defined on the 'Filter Options' tab. In total, it means the systems list is derived from AD first and then imported into the systems list. Then a series of secondary connections are made to the target systems to identify if the system meets the filtered list of criteria. The systems

58 52 Managed Systems Lists list is then re-filtered to contain only systems that meet the filter. The larger downside is that if a system is off-line during this operation, this process cannot be performed and thus the system will remain in the systems list and potentially be managed if the list is not updated prior to the job running. If everything is in AD, the best practice is to use a custom LDAP query to aid in finding and filtering for systems. The most obvious benefit is the cost of this query: a single LDAP query to one domain controller to obtain all the information needed without ever contacting the target systems or performing post filtering for each system in the systems list. When generating an LDAP query, be aware of how the query is formed the rules follow those of regular expressions but the syntax is slightly different. * = anything, any number of characters. As in joe* would return joe, joey, joe , etc.? = single character. As in jo? would return joe, joy, jot etc. (pipe) = or & = and! = not Single expressions are all grouped with parenthesis. For example: (objectcategory=computer) Would return every computer at the target LDAP container. To include multiple expressions, join them with an & and a set of parenthesis. For example, to find all computers whose account name started with LA: All computers = (objectcategory=computer) Name starts with LA = (samaccountname=la*) Would be written as: (&(objectcategory=computer)(samaccountname=la*)) To include multiple expressions, join them with an & and a set of parenthesis. For example, to find all computers whose account name started with LA, but excludes Windows 2003 systems: All computers = (objectcategory=computer) Name starts with LA = (samaccountname=la*) Windows 2003 Operating System = (operatingsystem=windows Server 2003)

59 Managed Systems Lists 53 Would be written as: (&(&(objectcategory=computer)(samaccountname=la*))(!(operatingsystem=windows Server 2003))) To include multiple expressions, join them with an & and a set of parenthesis. For example, to find all computers whose account name started with LA, but excludes Windows 2003 or Windows XP systems: All computers = (objectcategory=computer) Name starts with LA = (samaccountname=la*) Windows 2003 Operating System = (operatingsystem=windows Server 2003) Windows XP Operating System = (operatingsystem=windows XP) Would be written as: (&(&(objectcategory=computer)(samaccountname=la*))(!( (operatingsystem=windows Server 2003)(operatingSystem=Windows XP)))) Break apart the last query to see the steps a little easier - (& ) (& ) (! ) (objectcategory=computer)(samaccountname=la*) ( ) (operatingsystem=windows Server 2003) (operatingsystem=windows XP) Queries can be much more or less complex than what is shown here. Any attribute present in Active Directory may be used for a possible query. Three additional and useful computer filters are: Disabled account: useraccountcontrol: :=2

60 54 Managed Systems Lists Domain Controllers: useraccountcontrol: :=8192 Global Catalogs: (&(objectcategory=ntdsdsa)(options: :=1)) To find all computers and exclude all disabled computer accounts: All computers = (objectcategory=computer) Disabled account: (useraccountcontrol: :=2) Would be written as: (&(objectcategory=computer)(!(useraccountcontrol: :=2))) Dynamic Set Data Sources Shown below is the Data Sources tab of the Dynamic Set sheet. Use this dialog to query an existing database to return a list of systems to manage.

Managed Systems Lists 55 To add queries to the list, click the box in the upper-right corner of the list. Add entries to this list using the following dialog.

61 Managed Systems Lists 55 To add queries to the list, click the box in the upper-right corner of the list. Add entries to this list using the following dialog. Either supply a specific connection string or click the ellipses (...) to begin a Microsoft wizard to generate the connection string. Note, if the option of Allow manual editing of connection string is selected and the database connection is performed using an explicit account rather than Windows integrated authentication, the password will be shown in clear text. Supply a properly formatted query to return the desired system names; only the system names should be returned from the query. Each resulting row from the query is expected to contain one value, which is the name of a system to be included in the set.

62 56 Managed Systems Lists Dynamic Set Explicit Inclusions Shown below is the Explicit Inclusions. Use this tab to manually define entries that should always appear in this set. Using Explicit Inclusions, specify one or more systems by name that will be included in the set whether or not they are discovered by other means. Example: System ASQL01 is added to the Explicit Inclusion list. When the domains, IP address ranges, and Active Directory paths (which make up the dynamic set range) are scanned and the system ASQL01 is not found in those ranges, the system ASQL01 is still added to the system list of the set. When the set is refreshed, the system ASQL01 will not be removed from the set unless it has been removed from the Explicit Inclusions list (or placed on the Explicit Exclusions list). Systems placed on both the Explicit Inclusions list and Explicit Exclusions lists will be excluded from the set.

63 Managed Systems Lists Dynamic Set Explicit Exclusions Shown below is the Explicit Exclusions tab. Use this tab to manually define systems which should always be excluded from the set regardless of any other discovery or inclusion properties. Using Explicit Exclusions, a set of systems that will never be included in the set, even if they are within the discovery range, can be defined. Use this option to prevent the accidental addition of certain sensitive systems to the list, such as domain controllers or servers. Example: System SERVER is the domain controller for the domain MyDomain. System SERVER should not be managed using the tool, but it is part of the MyDomain domain, which is part of the dynamic set range. The system SERVER is added to the Explicit Exclusion list. When the set is refreshed, SERVER will be found in the MyDomain domain, but SERVER will not be added to the list of managed systems even though it is included within the domain. Subsequent refreshes of the set will not cause SERVER to be added to the list of managed systems until it is removed from the

58 Managed Systems Lists Explicit Exclusions list. Systems placed on both the Explicit Inclusions list and Explicit Exclusions lists will be excluded from the set. 4.

64 58 Managed Systems Lists Explicit Exclusions list. Systems placed on both the Explicit Inclusions list and Explicit Exclusions lists will be excluded from the set Dynamic Set Filter Options Shown below is the Filter Options tab. Use this tab to filter systems by their role, operating system, or name. This option may be used to filter any and all of the other inclusion criteria such as Domains, IP Address Ranges, etc. However, it is not recommended to use this tab when including systems from Active Directory. Specifically, Active Directory stores all of this information already. Using this dialog will force the product to add all systems found from Active Directory, then subsequently attempt a connection to each system to see if it meets the filter criteria. This can cause a job that could be performed in a single 20 second query to AD to take minutes to complete. When using Active Directory paths, it is recommended to use a custom LDAP query to filter systems by name, role, or operating system type.

65 Managed Systems Lists 59 Filter Options allows specifying a system name filter string (when scanning for new systems), system type matching, and OS version matching. System names which do not match the filter will be excluded from the set. The filter string can include one or more "*" as wild cards for matching systems. Do not use "?" to specify a single character wild card. Only system names which match all filter criteria will be included in the set, all other systems will be filtered out. When using filter options, this tool will attempt a connection to the identified system in order to determine what operating system version it is. If the filter options are left in their default state (or reverted if changed) when creating sets, the tool will not attempt a connection to the system when it adds it to the set. This means a dynamic set with filter options enabled will take longer to update its systems list than will a dynamic set not using filter options. Example: Manage all the systems that contain 'SALES', such as SALES1 and WORKSTATION_SALES. by specifying a name filter of "*SALES*".

60 Managed Systems Lists 4.4.9 Dynamic Set Options Shown below is the Options tab.

66 60 Managed Systems Lists Dynamic Set Options Shown below is the Options tab. This tab defines how often the set will automatically update and if it will remove systems from the set automatically. These options handle the automatic addition/removal of systems to or from the set. Adjust how often the program checks the range of the set for new systems to add to the set by selecting the Update management set every option. If the Update management set every option is not checked, the set must be manually refreshed by selecting Update System Set from the SystemsList menu. The first two options deal with removal of systems from the set. If the first option is selected and a computer is no longer found in the configured ranges it will be removed from the dynamic set. If the second option is selected and a system has not been contacted for 90 days, it would be automatically removed form the list.

67 Managed Systems Lists 61 For example: The set is configured to include all systems from LDAP://dctr/ou=wks,dc=mydomain,dc=com. When the set was first configured the list, there were three hundred systems in the OU. Today, 20 of those systems were decommissioned and removed form that OU. With the first option selected, when the dynamic set updates the systems list, those 20 systems would be removed from the systems list as well. Without the first option selected, they would continue to remain in the list indefinitely or if the second check box is selected, once they have not been contacted for 90 days. 4.5 CHANGE MANAGEMENT SET PROPERTIES After a management set has been created, it may be necessary to change the properties of that set. For a simple set, this means simply changing the name and/or comment; for a dynamic set, these properties include the scan ranges, inclusion and exclusion lists, scan options, and filter options. There are three ways to change the comment field for a set: Select the management set and click Management Set Properties from the Groups menu. Right-click the target management set and select Management Set Properties from the context menu via the main dialog. Select Management Set Properties from the SystemsList menu when in a management set.

68 62 Managed Systems Lists Doing any of these in conjunction with a simple management set will display the dialog shown below. Changing the properties of a dynamic management set will open the full dynamic management set property page. For more information about Dynamic management set, see Adding Systems to a Dynamic Management Set (on page 42). When finished editing the management set properties, click OK to save any changes.

69 Managed Systems Lists IMPORT MANAGEMENT SETS This tool offers various ways to create sets of machines to administer: 1) Import from a comma-delimited file. 2) Import from an ODBC data source. 3) Import from scanned IP ranges. 4) Restore management sets from a Regedit file. 5) Import from a Remote License Server Import from a Comma-Delimited File This tool allows importing lists of systems from CSV files. This means that it is possible to store system lists in a text file or generate a system list from another program and then load it into a management set. To import from a comma-delimited file, simply select the directory and file name of the file containing the system list and click Open. A properly formatted text file will contain comma-delimited data in three columns: 1) The management set name 2) The management set comment 3) The machine name Example: Windows Servers,All Windows machine,server-xyz

70 64 Managed Systems Lists Import from ODBC Datasource Many organizations are more than happy manually setting up system sets and populating those system sets manually from domain or browse lists. On the other hand, large companies that have a constantly changing inventory of machines under management will find manual methods cumbersome. The ODBC import capability allows this program to set-up its management sets and machine members from a database of systems. Source databases can be comma-delimited files, Excel spreadsheets, and SQL Server databases. In fact, almost every database today has an ODBC interface that is compatible with this program. To use this feature, system set data should be located in three columns within the data source: one column for corresponds to set name, another to set comment, and a third to system name. Getting Started Before using this feature, permission to access to the database containing the information is required. Next, set up a data source (also known as a DSN). This is under administrative tools. Lastly, identify which table contains the system set and machine name information as well as the column names for that information. Remember that the machine name must be the NetBIOS machine name or the TCP/IP address (although this is not nearly as friendly). The last part is to set up the program to perform the import and create a little snippet of SQL code to do the retrieval.

71 Managed Systems Lists 65 To start, on the main dialog of the program (not in a management set), go to Groups Import from ODBC Datasource. Each part of the dialog and example steps to set up a simple interaction is described below. Set the Database Connection String (on page 66) SQL Statement (on page 67) Retrieving the Data using the Database (on page 67)

66 Managed Systems Lists 4.6.2.1 SET THE DATABASE CONNECTION STRING Click on the button to the right of the Database Connection String entry field. for Machine Data Source.

72 66 Managed Systems Lists SET THE DATABASE CONNECTION STRING Click on the button to the right of the Database Connection String entry field. for Machine Data Source. Select the tab If the data source is already configured, select it from the list and click on the OK button. If the data source is not created, click on the New button. Using the wizard, create a data source to point to the database. This will involve picking a device driver, giving the data source a name, and finding it (attaching to it). Make sure an ODBC compatible data source is configured. When all of the steps are completed correctly, the database connection string will become available: DSN=SYZCORP;DBQ=D:\SysMgr\xyz.mdb;DriverId=25;FIL=MS Access;MaxBufferSize=2048;PageTimeout=5;

73 Managed Systems Lists SQL STATEMENT Now write a simple piece of SQL code into the SQL Statement field. This is nothing more than a single line of text that tells the ODBC driver what table to use in your database as well as which fields to retrieve. The format of the code is: Select "field1", "field2", "field3" from Table Optionally, add a second line containing a qualifier such as: Select "field1", "field2", "field3" from Table Where Table.field4 = Windows Servers or other such qualification to make sure that only the correct records are retrieved. The returned fields are used as follows: field1 Group Name field2 Group Comment field3 Machine Name or IP Address When retrieving data from an Excel database, put the Table portion of the SQL statement in square brackets [Table] RETRIEVING THE DATA USING THE DATABASE To execute the SQL code against the data source, click on the Get Data button. In the log at the bottom of the dialog note the statistics of the retrieval (example statistics): Unique Groups: 244 Unique Comments: 5 Unique Machines: 1569 At the top of the dialog are the retrieved records. The retrieved records show which system sets will be created as well as the machine names that will be added to those sets. To import all of these sets and machines, click on the Apply button. To merge into an existing system sets, leave the check box: Replace all existing sets and machines with this data unchecked. If the existing data should be purged and replaced with the retrieved data, set the box to the checked state.

74 68 Managed Systems Lists Import from a Scanned IP Range Use the IP Scanner to scan IP Ranges for systems and then use the resulting systems list to create a new management set. To perform this operation: 1) Click on the Scan IP Ranges for Systems from the Groups menu. 2) Setup the IP Scan to find the systems to include in the management set. 3) Click on Export Scanned Entries from the File menu in the IP Scanner. 4) Select an option for creating new management sets or importing into an existing management set. 5) Click OK. The tool will state how many total machines were added to the target management set. For more information about using the IP Scanner, see IP Scanner Restore Internal Database from a RegEdit file To restore all the internal database information from a backup RegEdit file, click on Restore Internal Database from a RegEdit file from the Program menu on the main dialog. Now select the name of the backup file and the path to that file. Choose to merge the backup with the current data if new management sets were added that should be kept, or choose to replace the current internal database with the backup which will overwrite any existing management sets. Click OK to complete the restore. Note: An appropriate serial number for the host system or remote access to a licensed system will be required.

Managed Systems Lists 69 4.7 BACKUP MANAGEMENT SETS This tool offers two ways to backup your groups: 1) Backup Internal Database to Regedit File. 2) Backup Systems list to a Text File. 4.7.1 Backup Internal Database to RegEdit File The option to "Backup Internal Database to RegEdit File" will save all the internal groups and settings to a Regedit file.

75 Managed Systems Lists BACKUP MANAGEMENT SETS This tool offers two ways to backup your groups: 1) Backup Internal Database to Regedit File. 2) Backup Systems list to a Text File Backup Internal Database to RegEdit File The option to "Backup Internal Database to RegEdit File" will save all the internal groups and settings to a Regedit file. You must specify a path and a file name for the new backup file. You can use this to backup your settings or transfer settings from machine to machine. You can choose to backup the program group database (program groups and system information). You can also choose to schedule this backup to happen. The backup will be scheduled as an AT task on the local machine with default AT task settings Export Systems List to a Comma-Delimited File To backup all program information including system sets to a CSV file, choose the Export to Comma-Delimited File from the Database menu on the main dialog. This will save the system list database to a comma-delimited text file. Specify a path and a file name for the new backup file. The text file is human readable and can be used to backup system sets for disaster recovery or to transfer group information from one computer to another. 4.8 DELETE MANAGEMENT SET This deletes the selected management set(s). Select one or more management sets to delete, then click the Delete button in the lower left of the main dialog.

76 70 Managed Systems Lists 4.9 DELETE INTERNAL DATABASE This deletes the program's internal database from the registry. Use this option to remove all program configuration information from the local registry including: management set information, system information, job information, alternate administrators, dialog settings, database settings, report settings, and deferred processor settings. Please note that when using an external database to store reporting results data, the reporting data will not be deleted using this operation. Licensing information is also not affected by this operation. This operation will not affect the registry of a remote license server when using remote licensing.

77 71 Chapter 5 Manage Systems Dialog This chapter describes the Manage Systems dialog and its basic features. To open a group once it has been created, you may double-click the group from the main dialog or highlight the group and click the ACTIVATE button. IN THIS CHAPTER Manage Systems Dialog Manage Systems Pull-Down Menus Context Menu Shortcuts (Right Click Menu) Viewing Options Manage Systems Dialog Systems List Columns System Name Resolution Selecting Machines Highlight Lists Refresh Info (Get Role/Version) Update Management Set Stop Current Operation Remove Systems from Management Set Generate Report on Systems in Management Set... 89

78 72 Manage Systems Dialog 5.1 MANAGE SYSTEMS DIALOG The Managing Systems dialog is shown below. Lieberman RED Services Management. It is the launching point for most operations in Have you ever used a program where you were constantly repeating the same steps to get to a menu and wondered, why they did not put a dedicated button on the screen for that function. Developers love to have buttons on the screen, but they are not as aesthetically appealing as blank

79 Manage Systems Dialog 73 space, so they generally get dropped from the product prior to shipping. The heck with aesthetics, we want this thing to be easy to use. Here is what the buttons do: INFO: Get Retrieve the installation state, running state, user name, and password used by the systems that are currently highlighted. Set Start, stop and change the account used by systems that are highlighted (selected) by using the Set feature. Stop Stops any Get, Set, or Search and Replace operation currently in progress (you must wait for the outstanding network requests to complete). HIGHLIGHT: All - Highlights/selects all entries in the list None Removes highlight from all entries HIGHLIGHT LISTS: Select - looks up the list of systems previously recorded and the highlights the names previously recorded. "Select Set" requires one of the "Available Select" entries to be highlighted. Save - records the current highlighted list of systems over a previously recorded name. "Save Set" requires one of the "Available Select" entries to be highlighted. Delete - deletes a previously recorded name of highlighted entries. "Delete Set" requires one of the entries to be highlighted. New - records the current highlighted list of systems under a name of your choosing. HERE IS WHAT THE COLUMNS MEAN: System - the name of system being queried. Both systems and service entries share this column. The initial sort order is by system, but you may reorder the list by clicking on any column heading System Icon Color - Red=Problem with service or server; Green=No Problems; Yellow=No information. System Icon Image - Machine=System; Gear=Service Role role of this machine on network. Machines can be workstations (WS), servers (SRV), backup domain controller (BDC), or primary domain controller (PDC).

80 74 Manage Systems Dialog Ver version of Windows NT or Windows 2000 will show up as version 5.0. Windows XP will show up as version 5.1. Windows 2003 Advanced Server will show up as version 5.2. SvcName - service short name. Services are given an internal short name and a display name that you will normally see when using the Server Manager or Services applet in the control panel of NT/2000/Server 2003/XP. DspName - service display name. This is the long version of a service name that is commonly displayed. Startup type of service startup. Services can be set to disabled, manual, or automatic. State - service state. Indicates whether the service is running, not running (stopped), paused, or not installed. UserName - The account name used to start the service IntAct Interact with desktop flag. This flag is either set or reset for the LocalSystem account. Password - The actual password is never displayed, however all of the passwords of the same type show up with an indicator of PWDx where x is the number of common password. For example: if accounts A, B, and C all had the password XYZ, they would be listed with the password PWD1, and if another account had a different password, it would have a password entry of PWD2, and so on. The clear text version of the password is never displayed. Status - the results of the last operation. Normally this field will indicate "<OK>." If you ever have a red indicator in the first column, you should go to the last column to see what the cause of the problem is. Near the bottom of the screen is the status indicator which provides an estimate of the progress of the current task based on how much work it has done so far. Beside that is the current number of threads working on the current task. Below both these is the log file, which records the operations performed by Lieberman RED Services Management as well as the results. Sorting Information - You may sort the systems and services in ascending or descending order by clicking on a column heading. For example, to see which accounts are using a specific password, click the "Passwd" column heading. 5.2 MANAGE SYSTEMS PULL-DOWN MENUS FILE Report Generator - Use the built-in Report Generator to output Service Account Manager information.

81 Manage Systems Dialog 75 Settings - Set up the settings used by the Report Generator. Windows Clustering Options - Set up options used to identify clustered resources. Options - Set up the general program options like threading, wait time, and process order. Log - View, print, or change the save location of Service Account Manager's log file. VIEW Systems+Services - Show both systems and services in the systems list. Systems Only - Show only systems in the systems list. Services Only - Show only services in the systems list. Filter - The Filter allows you to customize your view of both systems and services. JOBS Jobs Monitor - The job monitor allows you to see what jobs are scheduled, running, and completed. Retry Policy - The retry policy defines how the program handles jobs that fail. SYSTEMS Add from Domain List - Add systems to your group that have joined the domain. Add from Browse List - Add systems straight from your network browse. Add Systems Manually - Manually enter a system name and add it to the group. Add from Active Directory - Use the Object Picker to add systems to your group. Import Systems List from a Text File - Input a list of systems from a text file. Export Systems List to a Text File - Write out the systems in this group to a text file. Delete Highlighted Systems - Remove the highlighted system from this group. Refresh List - Refresh the information on systems and services in this group. GET Get - Poll the systems and services in this group. Stop Get - Cancel Get requests that are in progress. SET Set - Set properties for systems or services. Stop Set - Cancel Set requests that are in progress.

82 76 Manage Systems Dialog Search and Replace - Search and Replace service properties according to your criteria. Reboot - Reboot any machine in your group remotely. Abort Reboot - Abort requests for reboot on selected system(s). Send Message - Send a message to any system in your group. Install Service - Install a service on selected machine(s) in your group. Remove Service(s) - Remove service(s) from selected machine(s) in your group. SECURITY Alternate Administrator Accounts - Set up additional alternate credentials that can be used with the current login rights to administer machines in the group. Logon Cache Settings - Allows you to make sure the changes have taken place in cached logon systems. REMOTECONNECTION Open Terminal Service Session - Attempts to connect to terminal services on the selected system(s). Auto-Open VNC Connection - Attempts to open a VNC connection and logon to selected system(s). Open VNC Viewer - Opens a VNC connection to the selected system(s). VNC Options - Edit VNC options. These options include locations of the VNC service for copying to the remote systems, local VNC viewer settings, additional command line options, and security/password settings. Import VNC Settings from.rcm File - Allows you to import VNC settings from a pre-existing.rcm file. Install VNC on System(s) - Installs the VNC service on the target system(s). Remove VNC from System(s) - Removes the VNC service from the target systems(s). Start VNC Service on System(s) - Starts the VNC service on the target system(s). Stop VNC Service on System(s) - Stops the VNC service on the target system(s). Restart VNC Service on System(s) - Stops and then start the VNC service on the target system(s). Set VNC Password - Sets the password on the target system(s) for the VNC service. HELP

83 Manage Systems Dialog 77 Contents - Displays this help file. License Keys - The License Token Dialog allows you to assign or release license keys to systems. Logon Info - Displays your current logon information. Components - Gives names and locations of components used by this program. Revision History - Opens the revision history for this product. About - Opens the About Dialog, which displays product and registration information. 5.3 CONTEXT MENU SHORTCUTS (RIGHT CLICK MENU) By selecting a system or service and right clicking it in the Manage Systems Dialog, you can access a Context Menu that allows you to perform operations quickly. The operations available on the Context Menu are: Auto-open VNC Connection Open Terminal Services Connection Get Role/Version Info Generate Report on Systems Restart Service(s) Stop Service(s) Start Service(s) Set... Install Service... Remove Service(s)... Reboot... Abort Reboot Send Message Open VNC Connection Send Message Add Systems to Group... Browse Systems Add...

84 78 Manage Systems Dialog Browse Shell Add... Domain Members Add... Manual Systems Add... Active Directory Systems Add... Delete Systems Stop Current Operation All these features are described elsewhere, but are quickly accessible through the Context Menu.

85 Manage Systems Dialog VIEWING OPTIONS There are multiple options for viewing systems and services inside the Manage Systems Dialog. The views available are: SYSTEMS AND SERVICES - This will make Lieberman RED Services Management show all the systems in the list and all the services on each system in the group. SYSTEMS ONLY - This will make Lieberman RED Services Management show only the systems and system information for each system in the group. SERVICES ONLY - This will make Lieberman RED Services Management show only the services on each system in the group. In addition, you can Filter Services List (on page 80) on machines to customize the information to your needs. Tip: When first getting started, select the "System+Services" option under View. Also, select the filter option (discussed in just a few more pages) to show "All Installed Services." You will want to add a few systems to the system list and then perform a Get operation to retrieve all of the service information on these initial systems to get a feel for the way information is presented.

86 80 Manage Systems Dialog Filter Services List The Filter Services List is shown below. The filter option can be used to limit the list of data being kept as well as to show you services that are missing from different workstations. The filter option also allows you to set up scenarios where groups of services are changed together in one operation. You can use this feature to show only those services of interest to you (Filter List Only). This feature also shows you where key services are installed or not installed. The dialog prompts you to enter the name of a server to get a list of services from. If you do not enter a machine name, the current system will be used. The available services list displays all

87 Manage Systems Dialog 81 services installed on the server you entered. From this list, you can highlight services and add them to the Filter List. You may also remove services, Add All, or Remove All services from the Filter List. In both display lists, both the Display name for the services and the Internal Service names are displayed. The Status bar at the bottom of the screen displays the status of any network operation that is currently running but has not yet completed, such as retrieval of a list of services from another machine on the network. Installed Only - no other filtering options are active. All Get operations will default to pulling all information from all systems unless you highlight specific systems and/or services on those machines for specific retrieval (via highlighting the entries prior to doing a Get operation). The "Installed Only" option is a good starting point when getting familiar with the product. Note: when using "Installed Only", different systems will present different sets of services depending on which services are installed on each system. For example, the service list from a Windows Server 2012 machine will be vastly different from the services presented on a Windows Vista machine. If you are trying to discover which services are not installed, you will want to use the other filter options. Filter List Only - Will only show services included on the list. To create the filter list, you select a server to retrieve the list from by entering its name and clicking on the "Refresh" button. If you are interested in a list of potential services from the local machine running the software, you can leave the field blank and clicking on the "Refresh" button. To add one or more entries to the filter list, highlight the entries of interest in the "Available Services" list and click on the "Add>" button next to the "Filter List" list. You can use the other buttons to control the contents of the filter list. Filtered and Installed Services - Use this option when you want to see which services are missing as well as what is currently installed. Be careful with this option as it creates very large databases and very long lists. Tip: Your filter list can contain service names from as many different systems as you wish. Hide Services Running as LocalSystem - Hides services where the run as account is set to one of the built-in accounts system accounts such as LocalSystem. 5.5 MANAGE SYSTEMS DIALOG SYSTEMS LIST COLUMNS There are three views accessible from the VIEW menu of the Manage Systems dialog:

88 82 Manage Systems Dialog Systems + Services Systems Only Services Only The default view is systems+services. The columns in this view are the same in all views. System (with status) - This is the name of the system for addressing and display purposes. When Service Account Manager attempts operations on this system, it will use this name to identify the system on the network (unless you have selected a different System Name Resolution (on page 83) than the default). The status shows the last connection or operation result (green = good, yellow = unknown/intermediate, red = failed). Role - This is the main role for the system. This can be WS (Workstation), SRV (Server), PDC (Primary Domain Controller), or BDC (Backup Domain Controller). The role determines the operations which are possible on that server (e.g. machines with a role of WS or SRV cannot accept global group changes). In Active Directory, the PDC is the machine that holds the PDC emulator FSMO role. Version - The internal (NT) version of the operating system. Possible values are: Windows NT 4 = NT4, 4.0 Windows 2000 = W2K, 5.0 Windows XP = XP, 5.1 Windows Server 2003 = 2003, 5.2 Windows Vista = 6.0 Windows Server 2008 = 6.0 Windows 7 = 6.1 Windows Server 2008 R2 = 6.1 Windows 8 = 6.2 Windows Server 2012 = 6.2 Windows 8.1 = 6.3 Windows Server 2012 R2 = 6.3 Windows 10 = 10 Windows Server 2016 = 10

89 Manage Systems Dialog 83 SvcName - The short name of the service typically used in scripts or via command line or in the registry. DspName - The friendly name of the service visible in the services snap-in. Description - The description of the service as is visible in the services snap-in Startup - The startup type of the service. The three possible values are Automatic, Manual, or Disabled. State - The current running status of the service. The two possible values are Running or Not Running. UserName - The user account being used to run the service. IntAct - Interact with desktop flag Passwd - A numerical value used to compare if passwords for a specific account are the same or different. Status - The status for the last operation which was performed against the machine. This value updates dynamically as operations are in progress and will often indicate what step of an operation is currently in progress on that machine. The columns can be resized to accommodate your needs (for example, you can reduce the size of the columns you do not need). Service Account Manager will remember the last sizes for all columns of the main window. 5.6 SYSTEM NAME RESOLUTION When adding systems to a management set, you can resolve computer names using several methods. This product supports NetBIOS names, system names (fully-qualified DNS or simple), and IP addresses. There are valid reasons to use each depending on network configuration. IP addresses can be used, but they have two problems: (1) They do not necessarily provide a meaningful identification for a machine, and (2) IP addresses can be re-assigned using DHCP. These problems could result in an administrator making changes to the wrong machine. With a DNS name, a machine can be specified in both an easily identifiable way, and a way that is insensitive to changes to the machine's IP address via DHCP as long as DHCP and dynamic DNS are linked together. To check if a name is resolvable, try pinging the machine by name from the command line interface. If the ping resolves to the correct machine, This product may be able to use that name to manage the machine (because it uses the same resolution mechanism as ping does).

84 Manage Systems Dialog Note: Being able to ping a computer is not an indication that the computer will be manageable. It only indicates that name is responsive on the network.

90 84 Manage Systems Dialog Note: Being able to ping a computer is not an indication that the computer will be manageable. It only indicates that name is responsive on the network. Management of the computer is dependent on other systems, such as SSH, RPCs, and so on that are not tested with a simple ping. When the program does a Get Role/Version (Refresh) operation, it retrieves the NetBIOS name and IP address of each managed machine. By default, the computer is resolved by whatever name is in the System column (which can be a NetBIOS name, an IP address, or a DNS name). The resolution method can be changed by right-clicking on the computer(s) and selecting a Resolve By option. This will cause the product to use the alternate name of the computer for name resolution. In most cases, however, the computer name should be sufficient for name resolution. In addition, the other information can then be examined to make sure operations will affect the correct system(s). 5.7 SELECTING MACHINES Select machines in the systems list by clicking on them. Select multiple machines by using CTRL+Click to select multiple specific systems or SHIFT+Click to select a range of systems. 5.8 HIGHLIGHT LISTS This feature allows saving and recalling lists of highlighted systems within a set. Use multiple selection lists together to combine sets. The Highlight Lists panel is located in the Manage Systems dialog on the right side of the dialog in the section labeled Select/Highlight System Lists. To save a list of highlighted systems, first highlight the machines that should be a part of the list and then click on New. Enter the new name for the list of selected machines and click OK. The list created will appear on the Highlight Lists panel. To select the systems in the list, simply highlight the name of the list and click Select or double-click on the name. To edit a highlight list, simply select the machines that will make up the new list and then highlight the highlight-list-name and click Save. To delete highlight lists, just select the lists and click Delete. Note that this list is additive in

91 Manage Systems Dialog 85 nature and that highlighting a list of systems using the highlight list feature does not de-select any currently selected systems.

92 86 Manage Systems Dialog 5.9 REFRESH INFO (GET ROLE/VERSION) Get Operations retrieve information about systems, services, and jobs for systems in the group. The Get menu and the get operations are dependant on the view that you have chosen. If you have chosen to view systems only, the get will retrieve system information for the selected systems from the group. If you are viewing systems and services, then Get commands will retrieve service information for the services and system information for the selected systems and services in the group. If you are viewing Services only, the Get commands will retrieve service information for the selected Services in the group. If you have nothing selected, then the get command will refresh information for everything in the list. If errors arise when attempting to retrieve information about highlighted systems, you can generate a report automatically detailing the errors. At any time during the get process, you can click STOP from the center of the Manage Systems dialog menu to tell the currently running threads to stop retrieving system and service information. System and service information can also be refreshed on a scheduled basis by using the "Schedule Get Role/Version Info" from the "Misc" menu. Information in this display can be exported to CSV or HTML file by selecting "Generate Report on Systems in Group" from the "SystemsList" menu. See Configuring Reports (on page 145) for further details.

93 Manage Systems Dialog Internal Service Configuration Information Once you have successfully done a 'Get' on one or more systems, you can see the detailed service configuration by double-clicking on any service of interest. An example dialog is shown below. This definition can be used to install a service at a later point in time. To save any service definition for default retrieval, just click on the "Make Default" button. A description of all of these fields will be done in a later section describing service installation.

94 88 Manage Systems Dialog 5.10 UPDATE MANAGEMENT SET To update a management set go to SystemsList Update Management Set. This option will re-scan the discovery ranges of the current management set. If additional machines are found in the range, they will be added to the management set. Updating dynamic management set members will also test any new alternate administrator identities to see if any more machines in the management set can be managed using the additional credentials. Depending on the dynamic management set settings, systems that have been out of contact may be removed from the management set during an update as well as systems that are no longer found within the range of the dynamic management set. This option will only be active when you are currently managing a dynamic management set STOP CURRENT OPERATION This sends a message to all the current threads to stop working on the current task. Note: The actual operations may take some time to stop. For example, if the program is performing a network call when the stop is initiated (which is common), the thread will not be able to stop until the network operations time-out. Due to the way Windows is designed, forced termination of threads may have bad side-effects, so the product will wait for threads to finish or timeout when the stop button is clicked REMOVE SYSTEMS FROM MANAGEMENT SET There are three ways to remove systems from the current management set. to remove: Highlight the systems 1) Click Remove Systems from management set from the SystemsList menu. 2) Click Delete Systems from the context menu (right-click menu) of the systems list in the Manage Systems dialog. 3) Press the Delete key on the keyboard.

95 Manage Systems Dialog GENERATE REPORT ON SYSTEMS IN MANAGEMENT SET Use Generate Report on Systems in Management Set to export the list of systems and all the visible system settings to a report using the built-in Report Generator. Using the Configuring Reports (on page 145), the user can view, print, archive, or the system information to one or more recipients.

96 90 Manage Systems Dialog

97 91 Chapter 6 Operations Using this tool, you can: Configure any aspect of any service, including account info, dependencies, and security, on any or all machines in the group. Install Service (on page 109) or Remove Services (on page 117) services remotely on any or all systems in the group. Reboot Highlighted Systems (on page 119) systems in the group so changes can take effect now. Abort Reboots that have been scheduled for systems in the group. Send Messages to any or all system in the group. The steps to managing services are: 1) Add systems to the group if they are not already in the group. 2) Refresh Info (Get Role/Version) (on page 86) and service information to retrieve the most current information on the services, status, accounts and passwords. 3) Highlight one or more services to be changed. 4) Perform a "Set" operation to stop, change the service account, and then restart the service(s). Note 1: If you are changing a local service account, this program is capable of modifying the local account as needed. Note 2: If you are changing a service account that is a domain administrator account, you must change the password for the account in the domain first. If this is an Active Directory domain you will not need to wait for replication of the password; you must wait for replication to occur if this is an NT 4 domain.

98 92 Operations IN THIS CHAPTER Restarting/Stopping/Starting a Service Manage Service Properties Install Service Remove Services Miscellaneous Operations Job Results Dialog Finding Services Missing from Systems RESTARTING/STOPPING/STARTING A SERVICE Services can be stopped, started, and restarted by using the context menu or by using a Operations (on page 91). When performing these steps through a right-click, the operation occurs immediately. When the operation is done, you will be presented with the job success or failure Job Results Dialog (on page 120). If you use the SET operation you will have the option to Deferred Processing (on page 163) these operations as well as manage every other setting about the service(s).

Operations 93 6.2 MANAGE SERVICE PROPERTIES After you have chosen the service(s) to manage and click Set.

99 Operations MANAGE SERVICE PROPERTIES After you have chosen the service(s) to manage and click Set. Performing a Set operation allows you to manage every attribute used by a service including the service account information. A service account is a logon account for a service, and as such, to change credentials the service must be stopped and started to use the new credentials. To properly change a service account, you would normally check three check boxes in the Actions section of the dialog so that the following operations will be performed: 1) Stop Service 2) Apply New Service Account Settings (on page 100) (change account info) 3) Start Service

100 94 Operations If you wish, you can use any combination of the check boxes, such as only selecting the "Stop Service" option to stop a series of services on different machines. The other options in the Actions section are: RUN PRE-OPERATION PROCESS - Run Process Options (on page 95) to run before the service change. STOP SERVICE - stops the service. COPY FILES - This opens up the Copy Files. UPDATE LOGON CACHE - This opens the Logon Cache Values (on page 98). APPLY NEW SERVICE ACCOUNT SETTINGS - allows you to Apply New Service Account Settings (on page 100) and/or password that a service runs as. You may also set the group memberships and rights of this account. CHANGE STARTUP TYPE - The following Change Service Startup Type (on page 103) options are available: Automatic the service will start automatically when the system is booted. Manual you must issue a start command to the service to get it started. If you reboot, the service will not start on its own. Disabled service will not start even with a start command. Do not attempt to start a service that is in the disabled state as you will receive an error message back indicating that the service could not be started. CONFIG OPTIONS - Config Options (on page 104) executable path, dependencies, description, and startup error control. CHANGE RECOVERY OPTIONS - This opens the Service Failure Recovery Settings (on page 106). START SERVICE - starts the service. RUN POST-OPERATION PROCESS - Run Process Options (on page 95) to run after the service change. SECURITY DESCRIPTOR - This allows you to Security Descriptor (on page 107) assigned to a service such as who can start or stop the service. You can also manage auditing settings for the service. Auditing events will show up in the local system's event logs. AUTO RETRY ON ERROR/OFF-LINE SYSTEMS - If this is selected and there is an error, Lieberman RED Services Management will offer you the option to retry the fail operation.

101 Operations 95 To apply the changes you have configured immediately, click Apply. To schedule the changes you have made to occur at a later time or on a recurring basis, choose Scheduling Options (on page 164). Click Cancel to discard the changes you have configured Run Process Options Service Account Manager can distribute a service or other executable to remote machines to enable to facilitate launching processes on the target machines before and/or after making changes to services. You can also choose to copy files to the remote machines that the services changes are to happen on. This allows you to run custom scripts, perform backups, or take any other arbitrary action before making changes to the services on your machines. To copy files to the remote machines, enter or locate the paths to the files on the local system or use UNC file paths. The program to run should be a local path, but the path must be exactly the same on all systems for the program to run correctly. Wild card replacement is not done on the Program path. The Command line field contains any additional command line arguments that you want to use with the program.

96 Operations You can choose to launch the program as either the local system account or as a specific account that is valid on the selected machines.

102 96 Operations You can choose to launch the program as either the local system account or as a specific account that is valid on the selected machines. You can also choose to load the profile of the launching user before the program executes (in case it will utilize any information stored in the user profile, as this information is not when the account does not have an active logon session).

Operations 97 Additional options include capturing the output of the launched program and storing it with the operation log in RED Services Management, waiting for the launched process to complete,

103 Operations 97 Additional options include capturing the output of the launched program and storing it with the operation log in RED Services Management, waiting for the launched process to complete, and cleanup options for both the remote service and any copied files. Additional error checking options are available for the result code of the launched program on the remote machine. These options include ignoring known error codes, aborting service changes if an error occurs, specifying a success set for program result codes, and appending any known program logs to the Service Account Manager job log.

98 Operations 6.2.2 Logon Cache Values Shown below is the Logon Cache Values dialog. This feature is useful for laptops, remote systems, or network segments without a local domain controller.

104 98 Operations Logon Cache Values Shown below is the Logon Cache Values dialog. This feature is useful for laptops, remote systems, or network segments without a local domain controller. By performing an interactive logon, the local machine will cache the logon credentials and rights of those credentials into the local logon cache. The benefit is that if or when the domain controller is unavailable, the service will still be able to authenticate and start. The result is there will be no disruption to the service just because of the unavailability of a domain controller. The logon cache operates by installing a remote service in each system. This remote service receives an encrypted package of credentials. Next a command to logon locally with those credentials is transmitted to the service. When the service is complete an acknowledgment of success or failure is returned. The credentials are then removed from each target system. Using the "Use 'Set' Account Credentials" will use the credentials from the Set Service Account Properties to update the credentials of the service, or you may specify other credentials that you would like the service to run using in the text fields below.

105 Operations 99 The number of Logons to Perform drop down box allows you to perform the login multiple times to ensure that the cache is updated. The "Logon Provider" specifies what type of provider will be authenticating the credentials: Default: Use the standard logon provider for the system. The default security provider is negotiate, unless you pass NULL for the domain name and the user name is not in UPN format. In this case the default provider is NTLM. WinNT50: Use the negotiate logon provider. This value is not support for Windows NT 4 or earlier. WinNT40: Use the NTLM logon provider WinNT35: Use the Windows NT 3.5 logon provider The "Logon Type" specifies the type of logon to perform: Interactive: This logon type is intended for users who will be interactively using the computer such as a remote shell or similar process. This logon type has the additional expense of caching logon information for disconnected operation. It may therefore be inappropriate for some client/server applications such as a mail server. Service: Indicates a service-type logon. The account provided must have the service privilege enabled. Batch: This logon type is intended for batch servers where processes may be executing on behalf of a user without their direct intervention. Network: This is intended for high performance servers which will authenticate users in plain text. Network_Cleartext: This type preserves the name and password in the authentication package which allows the server to make connections to other network servers while impersonating a client. Windows NT 4 and earlier do not support this value. New_Credentials: This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local ID but uses different credentials for other network connections. Windows NT 4 and earlier do not support this value. Unlock: This logon type is for GINA DLLs that logon users who will be interactively using the computer. This logon type can generate a unique audit record that shows when the workstation was unlocked.

100 Operations 6.2.3 Apply New Service Account Settings To change the account used by a service, you must check the "Apply New Service Account Settings" box.

106 100 Operations Apply New Service Account Settings To change the account used by a service, you must check the "Apply New Service Account Settings" box. The new account is not used until the service is restarted. The multiple different account types that a service can run as: System Account - (LocalSystem) - This account has more authority than the administrator account and does not require a password. The limitation of this account is that it cannot make any network connections outside of the local machine. This account is normally used by Windows own services. It is not recommended to change this account on Windows' own services since most built-in services will only run using this account. The "Interact with Desktop" option is only available with the System Account. At this time, Service Account Manager cannot set the account to "Network Service" or "NT Authority\Local Service". Local Service Account (NT Authority\Local Service) - This is a special built-in account that has reduced privileges similar to an authenticated local user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes. Network Service Account (NT Authority\Network Service) - This account is a special built-in account that has reduced privileges similar to an authenticated user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes. A service that runs as the Network Service account accesses network resources using the credentials of the computer account in the same manner as a Local System service does.

107 Operations 101 Domain Account - this type of account is used when the service must connect with domain resources to accomplish its task. A domain account consists of the "Domain Name" field as well as the "Username" and "Password." The drop down list box will list domains know to the machine you are running the program from, however, you may type in any domain name you wish into the "Domain Name" field. Local Account - when a local logon is desired for the service, a workstation account is used. This type of account will be used when the service is performing peer-to-peer network access, or the administrator wishes the service to first authenticate locally. A check box entitled "Change local account info" will cause this account to be created/updated locally. If you choose to use a local account, the option to "Update local account info" will become available. Setting this option will configure the local account with the password you provide in the "password" fields.

102 Operations MEMBERSHIP AND RIGHTS - When setting domain and workstation account, you will normally add it to the local administrators group of the machine.

108 102 Operations MEMBERSHIP AND RIGHTS - When setting domain and workstation account, you will normally add it to the local administrators group of the machine. This is necessary for most services to operate properly. It is also necessary to add the right to "Log on as a service" as well as the right to "Act as part of the operating system" to the account being added/updated. For your convenience, you can modify the rights list as well as the memberships granted to the account.

109 Operations Change Service Startup Type Changing the service startup type changes how the service starts up if at all. The option is found on the SET screen and has three possible values: Automatic the service will start automatically when the system is booted. Manual you must issue a start command to the service to get it started. If you reboot, the service will not start on its own. Disabled service will not start even with a start command. Do not attempt to start a service that is in the disabled state as you will receive an error message back indicating that the service could not be started. To configure what happens on the local system when the service fails to start automatically, use the Config Options (on page 104). To configure what happens on the local system when a service is running and fails, see Service Failure Recovery Settings (on page 106).

104 Operations 6.2.5 Config Options The "Config Options" are available from the Set menu.

110 104 Operations Config Options The "Config Options" are available from the Set menu. The config options are used to change the service executable path, dependencies, description, and startup error control. Change service display name - Change the display name of the services as viewed through the services snap-in. Change service exe path - Allows you to change the running location of the specified service. Typically this property should not be modified.

111 Operations 105 Change dependencies - Allows to add or remove dependencies to the specified service(s). Choosing the "replace dependencies" option and leaving the dependencies field blank will result in all dependencies being removed. Use the up and down arrows on the top right of the field to set the dependency order. Change service description - Allows you to change the service description. Aside from identification purposes, there are no ill effects from modifying this attribute. Change startup error control - Allows you to control what happens to your system if a service fails to start when configured for automatic startup. Log and Ignore - Logs an error to your system log. Message box, continue startup - A message box appears at the logon prompt indicating that there was a service failure. Logs a message to the system log. Restart with last known good, continue - If the service fails to start, the system will restart with the last known good configuration. If the service fails again while starting with last known good configuration, log message to system log, pop a message box, and continue loading operating system. Restart with last know good, abort - If the service fails to start, the system will restart with the last known good configuration. If the service fails again while starting with last known good configuration, log message to system log, blue screen.

106 Operations 6.2.6 Service Failure Recovery Settings The failure recovery options are available from the Set menu. This dialog allows you to take actions when services fail to run.

112 106 Operations Service Failure Recovery Settings The failure recovery options are available from the Set menu. This dialog allows you to take actions when services fail to run. You may choose to: Take no Action Restart the Service - Restart the service after a specified number of minutes. Run a Program - Run the service as a specified program along with optional command line parameters. Restart the Computer - Restart the computer after a specified number of minutes, and send an optional message to all computers on the network.

7 Security Descriptor The service security options are available from the Set menu.

113 Operations 107 You may take any of these actions after the first failure, the second failure, or any subsequent failures. You may also reset the failure counter after a specified number of minutes Security Descriptor The service security options are available from the Set menu. From this dialog you can set the permissions assigned to the selected service(s) as well as control the auditing settings for the service(s).

114 108 Operations The permissions that appear in the security and auditing dialog are not a representation of current settings. They are a representation of desired settings and will replace any current configurations. If you wish to see what the current security settings are for the service you are managing, after you have refreshed system/service information, double click the service in question, then click on the View Security button in the lower right corner of the dialog. You will need to make note of these permissions and re-enter them here if you wish to append to or modify these permissions. Clicking the Advanced button will allow you to set the auditing settings for the service(s). Changes here will only be applied if you also chose to enable the setting to "Include changes made to auditing settings" check box on the Set menu in the "Security Descriptor" area. Audit events will show up in the security log of the remote system (i.e. the one being managed).

115 Operations INSTALL SERVICE Installing and removing services is one of the most powerful capabilities of this product. To perform this operation you will need to know the location of the service s source files as well as the internal setting necessary for the proper startup and operation. The easiest way to add a service is to clone the settings from another machine where the service has already been installed. Once you have a snapshot of how the service should appear when properly installed, you can then modify that image as necessary to install it in other systems. The installation of a service requires that any service with the same name be stopped and removed from the system. This software will take care of those steps for you automatically. The software will also copy over files that you specify prior to installing the new service. Note: When installing services, you can install them in their own directory, or within the Windows system directory. If the Windows system directory name or drive varies from machine to machine (this is a very common occurrence), we would recommend that you use a unique directory for the service. This program will automatically create any necessary directories as needed. The following sections detail the working of the other Install Service dialog pages. Finding Systems with missing services: The easiest way to determine which systems are missing a service is to set the filter criteria so that only the Finding Services Missing from Systems (on page 121) is listed. Then perform a Get operation on all of the systems of interest. Finally, perform a sort on the installed state to locate those systems that lack the service. Installing Missing Services: Using the previously described filter to show missing and installed services, you can highlight all entries where a service is missing and Installing Missing Services.

110 Operations 6.3.1 Install Service Systems In order to install a service using Lieberman RED Services Management, you must first create a "template".

116 110 Operations Install Service Systems In order to install a service using Lieberman RED Services Management, you must first create a "template". To do this, double-click on any existing service to open the Service Installation Parameters dialog. In the lower right corner of this dialog, click Make Default, which copies the information into the service installation cache and click OK to close the dialog. Shown below is the Systems page of the Install Service dialog. To install a service, select the machine(s) you wish to install the service on and either right-click on the system or from the Manage menu, choose Install Service.

Operations 111 6.3.1.1 INSTALL SERVICE SERVICE CONFIGURATION Shown below is the Service Configuration Page of the Install Service dialog.

117 Operations INSTALL SERVICE SERVICE CONFIGURATION Shown below is the Service Configuration Page of the Install Service dialog. When you first view this page, it will contain the setting of the service that you copied into the Install Service Systems (on page 110) using the Make Default button. You will now modify those settings to perform the installation of your service. To support the installation of many different service configurations, you can double-click on installed services from the main screen and then use the "Service Definition Archive" (lower left hand side of the page) to save the specifics of a service definition under the name of your choice. You can then recall it by highlighting the name in the Service Definition Archive (when you get here),

118 112 Operations and click on the "Activate" button to bring up the settings. If you wish to make this the default entry that will appear every time you install a service, click on the "Make Default" button on the right of the screen. Even when using these pre-saved service definitions, you must still use the "Make Default" option on an existing service prior to new service installation. Field Explanations CURRENT SERVICE CONFIG. - Explanation of where this configuration came from (default, archive, etc.). If you are copying or editing existing service information, the name of the service entry being modified will be listed here. SERVICE DISPLAY NAME - Long name used in the control panel to refer to this service. INTERNAL SERVICE NAME - Short name used by the program itself. This value is used via command prompt and script management of the service. DEPENDENCY LIST - List of services that must be running prior to starting this service. Windows will examine dependencies at boot up and make sure that it does not attempt to start this service until the full dependency list is running. You can add entries to this list as well as change the order of dependencies. Normally you will want to keep things as-is. SERVICE TYPE - Normal services will be set to "Own Process" while many of Windows internal services will be set to "Shared Process." You must know how the developer of the service wants this setting set. You will typically never use the other service types. START TYPE - This setting controls when the service is to start (i.e. boot time, on-demand). ERROR CONTROL - Leave this set to Normal unless the service requires another setting. If the service is set to start with the system and fails during startup, these settings identify how the system should handle the failure. Normal will log an event to the system log and display an error at the logon prompt. Ignore, will simply log an event to the system event log with no visual indication of failure. Critical will restart the system using the last known good configuration. If the system fails to start the service again, the system will continue to boot, but log an event to the system log and display a warning at the logon prompt. Severe will restart the computer using the last known good configuration. If the service fails to start gain, the system will fail to boot and produce a blue screen error. TAGID - Leave this set to 0 unless the service requires another setting PATH TO SERVICE EXECUTABLE - This is the path and file name of the service executable. You must specify a local physical path on each machine. LOAD ORDER - This field is normally blank unless there is a specific group name used by the service. This will be already be defined by the service developer.

119 Operations 113 LAST ACCOUNT INFORMATION - This information shows you the setting of the service when it was double-clicked. This account information is not used to install the service; you must provide new account information for your service installation. Service Definition Archive allows you to save/recall the settings of this page under a name of your choosing. The buttons act as follows: ACTIVATE - causes the named entry to be loaded. You can also double-click an entry to activate it. SAVE AS - allows you to save a setting under a name of your choice SAVE - save the current setting under the name currently highlighted in the list REMOVE - deletes a highlighted entry on the list

114 Operations 6.3.1.2 INSTALL SERVICE SERVICE FILE COPY Shown below is the Service File Copy page of the

120 114 Operations INSTALL SERVICE SERVICE FILE COPY Shown below is the Service File Copy page of the Install Service dialog. This page allows you to distribute the files that your new service will need to run.

121 Operations 115 To add files to copy, simply click the Add button. At this time, each file that you wish to copy must be added individually. Input the source path as a local path to the file you wish to copy. Input the destination path as a network path using %SYSTEM% as the name of the system. RED Services Management will replace %system% with the name of the system(s) automatically. Click OK to add the file entry. You may repeat this step as many times as you like. Be sure that the check box to Enable File Copying is selected if you need to copy files or nothing will be copied! Important Point! Remember to set the physical path of the service on the Install Service Service Configuration (on page 111) page (previous page) to the same location as specified in the file copy operation. For example, if you copied the file to "\\%system%\admin$\system32\csfoc.exe", the local path on the system should be "C:\Windows\system32\csfoc.exe" (presuming you installed to the Windows directory at the root of drive C).

116 Operations 6.3.1.3 INSTALL SERVICE LOGON INFORMATION Shown below is the Logon Information page of the Install Service dialog.

122 116 Operations INSTALL SERVICE LOGON INFORMATION Shown below is the Logon Information page of the Install Service dialog. These are the same fields as you encountered when performing a Manage Service Properties (on page 93) except there are no options to stop the service or change the account information. There is a Start after install check box that should normally be checked. If you set the Service Start Type to Disabled the service will install, but not start.

123 Operations REMOVE SERVICES To remove services from machines in the group, simply select those services you wish to remove and click the "Remove Service(s)" option from the Manage menu. You will be prompted to confirm the removal. Click OK to confirm and remove the selected services. Warning! Removing a service is not the same as stopping or disabling a service. Once the service is removed, it cannot be started. However, you can re-install the service since the service files are still in place. But, you will need to know all of the service configuration information.

118 Operations 6.5 MISCELLANEOUS OPERATIONS This section contains additional operations that can be performed. Send Message - Use Net Send to send a message to machines in your group.

124 118 Operations 6.5 MISCELLANEOUS OPERATIONS This section contains additional operations that can be performed. Send Message - Use Net Send to send a message to machines in your group. Reboot and Abort Reboot - Remotely reboot or abort a reboot. Send Wake on LAN Packet - Send a Wake on LAN packet to a suspended system Send Message The product allows sending messages using the Windows Messenger service. Shown below is the Send Message to Systems dialog: The Send Message settings are limited to those which are valid for the Windows Messenger service; see the Windows documentation for details. If options are specified which are invalid, the Send Message operation will fail with the error code received from the operating system. If the Messenger service is stopped on the remote system, messages cannot be sent to the remote system. The Messenger Service can be started on target systems and then optionally shut it down again after the message is sent.

Operations 119 Note: Using the current scheduler, Domain sends cannot be scheduled. 6.5.2 Reboot Highlighted Systems This product gives you the ability to remotely reboot systems.

125 Operations 119 Note: Using the current scheduler, Domain sends cannot be scheduled Reboot Highlighted Systems This product gives you the ability to remotely reboot systems. Shown below is the Reboot Highlighted Systems Dialog: Set the "Time to display message", as well the "Message to send to system" field. When everything is set, click on the "Begin Shutdown" to start the shutdown process. The Reboot Highlighted Systems feature uses the built-in Job Scheduler so that you can schedule your tasks to run now, at a later time, or periodically.

that come up. Shown below is the Job Results Dialog. This dialog shows any errors being returned by services or machines after a task is completed.

126 120 Operations 6.6 JOB RESULTS DIALOG When performing operations, the tool's log will keep track of the outcome. successful, the following message box will appear: When the operation is If errors occur while the job is being run, the Job Results dialog will pop up and prompt the user to respond to any errors that come up. Shown below is the Job Results Dialog. This dialog shows any errors being returned by services or machines after a task is completed. Select tasks or machines and have the failed tasks retried by checking the box to the left of the service or system or selecting it and clicking the appropriate Set Enable Retry button. It is also possible to use the built in Configuring Reports (on page 145) to document this list of errors. When retry options for each system and/or service are selected, click Start Retry to begin retrying the jobs or click Cancel to not retry any of the jobs.

Operations 121 6.7 FINDING SERVICES MISSING FROM SYSTEMS RED Services Management can be used to find systems that are missing services using the following procedure. 1) Go to View Filter.

127 Operations FINDING SERVICES MISSING FROM SYSTEMS RED Services Management can be used to find systems that are missing services using the following procedure. 1) Go to View Filter. 2) Enter the name of a system that does contain the service and click Refresh. 3) Select the service(s) from the Available Services list that you want to check for and click Add to add them to the filter list. 4) Set the filter to Filter List Only.

128 122 Operations 5) Click on the OK button to set the filter criteria and close the filter dialog. 6) Set the view to Services Only. 7) The main results screen will now display the information it currently has about the service in question. 8) To retrieve information about all of the systems in your list, click Get. After the Get operation has been completed, the information in all the columns for each machine will be filled out. For each machine, the state column will tell you the current status of the service. missing the service indicate that the service is not present. Any systems

129 Operations 123

130

131 125 Chapter 7 IP Scanner Dialog The IP Scanner allows one or more IP address ranges to be scanned for machines. By default, only systems that grant the currently logged on account or an alternate administrator account access will be added. A Configuring Reports (on page 145) package allows exporting the results of the IP scan to a text file, Excel spreadsheet, or database. The results can also be used to build system sets or add to an existing system set for further action.

132 126 IP Scanner Dialog The main dialog is shown below.

133 IP Scanner Dialog 127

134 128 IP Scanner Dialog The main sections of the dialog are: Subnets/IP Ranges to Scan panel at the top of the screen. This panel lists the ranges that will be scanned to search for systems to add to the current system set. Add, edit, or delete ranges by using the buttons underneath the panel labeled: Add, Edit, Delete. Scanned IP Addresses. This panel displays the list of systems found in the range of the scan. Exclusion List (on page 27). Not all machines returned by the IP Scanner should be imported into a system set. Certain machines may be already known as untouchable/critical where settings should not be changed under any circumstances. The program provides an editable Exclusion List to enter the NETBIOS names of the machines to exclude. When performing an IP scan, all machines capable of administrative access are added to the "Scanned IP Addresses with administrator level access" list, however, any machines that also appear on the Exclusion List are disabled (unchecked) by default. Unchecked systems will not be exported. To edit the Exclusion List, click on the "Edit" button to the right of the "Exclusion List." Optional Administrator Account. This is the list of alternate administrator accounts. This list can be edited through the menu. Log File. This is where the log of actions is displayed to the screen. Clicking on the "Add" button under the top Panel brings up the dialog box shown below. The "IP Address Range Type" radio buttons allow entering the address format in either Network Address format or IP Stop/Start format. If using the Network Address format, click on the "Calculate >>" button to see the range of address generated by the subnet of the Network Address. Alternatively, click on the "Analyze Entries" button to examine the address range and report on the class and format of the address range. Clicking on the "Edit" button will display the same dialog, but any changes will be made to the selected entry in the panel. Enable or disable any address range by checking/un-checking the "Enable Entry" check box.

IP Scanner Dialog 129 The name of the subnet or address can be entered in the "Description" field. In the middle of the main dialog you will be buttons to "Set Fields".

135 IP Scanner Dialog 129 The name of the subnet or address can be entered in the "Description" field. In the middle of the main dialog you will be buttons to "Set Fields". Highlighting one or more entries in the Subnets list (top list) and then clicking on the "Subnet" or "Skip" buttons will change the subnets and skipped address ranges for all of the highlighted entries. This is useful feature when needing to modify a range of imported network address ranges. The "Select" group of buttons will highlight all or none of the address ranges. The "Enable" buttons allow will enable (check) or disable (un-check) all highlighted entries. This is useful when only scanning a subset of all addresses available is desired. To perform the scan, click on the "Scan Now" button or use the menu option: "Scan Subnet Start." Notice that the "Status" field (lower right) will show the highest IP address currently being

136 130 IP Scanner Dialog scanned. The "Progress" bar will also show the percentage of addresses processed (or in process). To see when the process is complete, keep an eye on the "Active Threads" number. When this number goes to zero, the scan is completed. A "Log File" list box display any unusual return codes from your systems. One common error code is This error can mean that the local protocol stack is getting confused (this should be corrected in a Microsoft Service Pack). This error can be ignored without any worry since the scanner will continue to retry until the protocol stack gets back into proper operation. When the scan is completed, a list of entries that fully identifies each machine will display. These results can be sorted result by clicking on the column headers. Any entries which should not be exported can be disabled by highlighting entries and clicking on the "Yes" or "No" button in the "Enable" button group below the list of scanned machines. IN THIS CHAPTER IP Scanner Menu - File IP Scanner Menu - Options IP Scanner Menu - Scan Subnet IP Scanner Menu - Report Generator IP Scanner Menu - Alternate Administrators IP Scanner Menu - Exclusion List Vulnerability Testing

IP Scanner Dialog 131 7.1 IP SCANNER MENU - FILE Options on this Menu: IMPORT SUBNET LIST - Allows you to import a list of subnet addresses to scan.

137 IP Scanner Dialog IP SCANNER MENU - FILE Options on this Menu: IMPORT SUBNET LIST - Allows you to import a list of subnet addresses to scan. EXPORT SCANNED ENTRIES - Allows you to export a list of systems from the results of the scan Import Subnet List Import a range of subnets into the scanner for scanning if the file format is organized as: Network Address1 ;Comment Network Address2 ;Comment To import a range, click File Import Subnet List. This will activate the following dialog to confirm that the file being imported is in the correct format.

Specify the default subnet mask for each imported network address.

138 132 IP Scanner Dialog Click Next. Specify the path to the file containing a list of network addresses. After selecting the file to use, the following dialog which confirms the selection will appear. Click Next. Specify the default subnet mask for each imported network address. The subnet mask helps limit the range of addresses to be scanned. If some of the network addresses are different, go back later and edit the subnet masks.

IP Scanner Dialog 133 After clicking on the Next button, a final dialog box will pop-up that will prompt to skip the first, last and gateway (start+1) addresses in the subnet range.

139 IP Scanner Dialog 133 After clicking on the Next button, a final dialog box will pop-up that will prompt to skip the first, last and gateway (start+1) addresses in the subnet range. Normally leave these check boxes to be unchecked. The state of these check boxes is shown in the "NetSkip" column of the main dialog. Click the Import button to add the subnets to scan to the list. Notice that all of the entries have a check box next to them that is checked. By default, all address ranges are enabled Export Scanned Entries Before exporting any of the scanned systems, make sure any systems that should not be exported are disabled (unchecked). To disable any excluded systems, click on the Apply button within the Exclude Systems List area (normally step is not necessary unless the Exclusion List is loaded after completing the scan and the Exclusion List to needs to take effect on the results already in the list. To export, click on the Export button located to the right and button of the list of systems. This may also be done by clicking the File Export Scanned Entries.

134 IP Scanner Dialog The following dialog will now appear: It is possible to export the NetBIOS names or the raw IP addresses to the management set. The NetBIOS name export is the preferred format.

140 134 IP Scanner Dialog The following dialog will now appear: It is possible to export the NetBIOS names or the raw IP addresses to the management set. The NetBIOS name export is the preferred format. The distribution of the scanned machines can be as follows: Automatically creates a new system set where the name is composed of the combination of the number of the subnet/address range in the list combined with a description. This is a good option if a router table with address as the source of the address ranges to scan was imported. Populate the created management sets with those machines that are in the IP range of the management set (same subnet/ip range). Automatically creates a system set for each unique domain/workgroup retrieved from the scanned systems. Use this option to manage machines by domain where the machines are spread across multiple network segments. Import all of the enabled (checked) scanned systems into the current management set. Click on the OK button to perform the export. The operation is very fast. Then go into the current system set or go back to the main program dialog select a different system set.

IP Scanner Dialog 135 7.2 IP SCANNER MENU - OPTIONS Options for this Menu: THREAD MAXIMUM OVERRIDE - Sets the maximum number of Thread Maximum Override (on page 135) to use for the IP scan. 7.2.1 Thread Maximum Override Once a list of IP address ranges to scan is set, the next logical step is to begin the actual scanning.

141 IP Scanner Dialog IP SCANNER MENU - OPTIONS Options for this Menu: THREAD MAXIMUM OVERRIDE - Sets the maximum number of Thread Maximum Override (on page 135) to use for the IP scan Thread Maximum Override Once a list of IP address ranges to scan is set, the next logical step is to begin the actual scanning. The scanning step uses as many threads up to the maximum (configurable, but 100 by default). This value can be overridden by clicking on the Options Thread Maximum Override. The upside of increasing the number of threads is that a large address range can be scanned quickly. The downside is that stopping a scan can take an extended period of time as all outstanding network requests must finish or timeout. Increasing thread count can also set off an intrusion detection/prevention system. When working with this feature, set the number to 10 for a relatively quick stop time, and increase the number to 1000 or 5000 to scan large ranges of systems. 7.3 IP SCANNER MENU - SCAN SUBNET Start - Begins the scan of the selected subnet range. Stop - Tells all the threads working on scanning the subnet range to stop. Validate Subnet Table Values - verifies that the given range is able to be scanned. detect bad input from imported lists of subnet ranges. This would 7.4 IP SCANNER MENU - REPORT GENERATOR Options on this menu: SUBNET IP/ADDRESS RANGE LIST - tells the Report Generator to output the Subnets/IP Address Range List panel including all systems in the list and all columns in the list.

142 136 IP Scanner Dialog IP SCAN RESULTS - tells the Report Generator to output the Scanned IP Addresses panel including all the systems in the list and all the columns in the list. Note that both of these features make use of the Configuring Reports (on page 145) feature.

IP Scanner Dialog 137 7.5 IP SCANNER MENU - ALTERNATE ADMINISTRATORS The options for Alternate Administrators are shown in the bottom of the dialog box of the IP Scanner.

143 IP Scanner Dialog IP SCANNER MENU - ALTERNATE ADMINISTRATORS The options for Alternate Administrators are shown in the bottom of the dialog box of the IP Scanner. The List of available alternate administrator accounts is in the lower left. Options from this menu can be used to add, edit, and delete alternate administrators from this list. All previously entered alternate administrator accounts (if any) are used by the IP Scanner. To use the default (current) logon credentials, un-check the Enable Alternate Administrators check box on the right bottom side of the dialog. To add additional alternate administrators, right click on the list in the lower left hand corners or use the Alternate Administrators menu options to add, edit, or delete alternate administrator accounts. If using the wild card of %SYSTEM% for impersonating accounts, the IP address will be prefixed onto the account. This may or may not work with some systems. Generally the prefix information for the system will be safely ignored Administrator Accounts Menu - Add The adding and editing of alternate administrators is handled by a simple dialog shown below.

144 138 IP Scanner Dialog Add - To add another alternate administrator account, fill out the user name and both password fields, then select whether the alternate administrator is local or a domain administrator. Click OK to add to the Alternate Administrator List. Edit - To edit an alternate administrator account, simply make any changes to the current alternate administrator account and click OK to update the Alternate Administrator List. Delete - A dialog asking for confirmation to delete the alternate administrator account will appear.

IP Scanner Dialog 139 7.6 IP SCANNER MENU - EXCLUSION LIST Options for this Menu: SYSTEMS EXCLUDED FROM ALL OPERATIONS - Access to the Exclusion List (on page 27).

145 IP Scanner Dialog IP SCANNER MENU - EXCLUSION LIST Options for this Menu: SYSTEMS EXCLUDED FROM ALL OPERATIONS - Access to the Exclusion List (on page 27). APPLY TO IP RESULTS - Masks the excluded systems from those found in the IP scan Systems Excluded From all Operations Use the Add and Delete buttons to manually change the Exclusion List. It is possible to provide a text file containing critical systems that should not normally be modified, use the Import List button to load the list. The format of the imported list is simply to put each machine name on a line by itself. 7.7 VULNERABILITY TESTING One use of the IP Scanner is to find system on the network that are vulnerable to attack using the default administrator setting of built-in administrator account being named "administrator" with a blank password. To perform this test, do a local logon to the host system with a local administrator account that is unique. Make sure that the account chosen for the local logon does not appear on any of the remote machines. Next, enter the alternate credentials of: an account being named "administrator" with its password as blank. Make sure that the check box for Enable Alternate

146 140 IP Scanner Dialog Administrators is checked. Now perform a scan of the network. What is returned is a list of all machines that can be connected to with the default administrator credentials and a blank password. If these systems are directly connected to the Internet, this scan is especially important to perform.

147 141 Chapter 8 Alternate Administrators This feature allows specifying additional sets of credentials that can be used to administer systems in multiple [un-]trusted domains and work groups. The program will automatically use the current login credentials or any of the alternate administrator credentials when it performs operations. When Alternate Administrators are enabled, it is normal to experience delays on some machines during operations because the program must wait for bad credentials to time-out before trying alternate credentials. To access the Alternate Administrators dialog, open any set of systems and click the Alternate Administrators Accounts options from either the Settings menu or ConnectAs menu. In newer versions of Microsoft operating systems, there may be issues using Alternate Administrators (impersonation) to manage any reliant COM+/DCOM interfaces and applications. This is a Microsoft imposed limitation. IN THIS CHAPTER Administrator Accounts Editor

148 142 Alternate Administrators 8.1 ADMINISTRATOR ACCOUNTS EDITOR Shown below is the Administrator Accounts Editor Dialog. The top list shows the list of systems in the current set and any previous information recorded about the systems. The lower left of the dialog lists the alternate administrator accounts. The Status field shows the current status of any task that has begun and has not yet completed. The Active Threads box shows how many threads are working on the current task (zero when work is completed/no operation in progress). The progress bar is an approximation of task completion. The Current Logon Account is the account the solution is opened as. The check box titled Enable

149 Alternate Administrators 143 Alternate Administrators is a program wide option that allows the use of alternate administrative credentials for all connections made through the tool. Alternate administrator accounts can be edited by using the Administrator Accounts Editor menu option. ALTERNATE ADMINISTRATOR ACCOUNTS When choosing to edit and or delete one of the entries, first highlight an entry and use either the Edit or Delete menu option. To add a new alternate administrator, use the Add option (Also available through the Alternate Administrators menu item). These options are also available through the context menu (right-click menu) of the Alternate Administrators List. Enter the name of the alternate administrator (use the "domain\account format" or "account" formats) by manual entry, or via the Local or Domain browse buttons. Substitution, such as '%system%' to replace the system name for local account changes to multiple machines may also be used. For example: The local machine name is DCTR1, is a domain controller in domain DOMAIN, and has an account named CustomUser. The target machines each have local accounts named CustomUser, but can also be accessed by the account DOMAIN\CustomUser. By specifying %system%\customuser, the local CustomUser account on each machine is specified, rather than the domain account DOMAIN\CustomUser account on each machine.

150 144 Alternate Administrators TESTING ADMINISTRATOR ACCOUNT ACCESS Check the Enable Alternate Administrators check box to use all alternate credentials when accessing systems. To test access, highlight one or more systems (if none are selected, all systems in the list are tested for access) and click on the Test Access button (or go to the menu item Test Access Start). This test will identify which systems are on-line in and which credentials worked with which systems. The testing is completed when the threads counter equals zero. The columns for AdminID and AdminPwd show which account/password provided administrator access to each remote system. If there is a number in the ALT# field, this corresponds the ID# of the alternate administrator account that successfully connected. If a dash (-) is in the ALT# field, it means that an alternate administrator account was not used to connect to the computer. If none of the entries worked, this will be reflected in the Access Status field. Lack of appropriate administrator credentials is shown by an error code of 5 - Access Denied. Other error codes (i.e. 53, 1722) usually indicate an off-line system. ENABLE ALTERNATE ADMINISTRATORS Typically, the logon account will be used for connections. To have the program try alternates in case of problems authenticating, set the check box: Enable Alternate Administrators. Be aware that not every feature in the solution may work through alternate administrators as there may be limitations on impersonation imposed by Microsoft. REPORT GENERATOR - ALTERNATE ADMINISTRATORS Export the results of an authentication test using the built in Configuring Reports (on page 145).

151 Configuring Reports 145 Chapter 9 Configuring Reports You can create reports from many places in RED Systems Management. For example, ways to open the "Report Generator" dialog in the management console include the following: From the main screen, choose SystemsList > Create Report from Display List From the "Stored Jobs" dialog, choose Report > Generate Report From the "Enroll Identities" dialog, click Report From the "Web Application Self-Recovery" Rules dialog, click Report And so on. Regardless of where the report is generated from, the "Report Generator" dialog (shown below) and functionality are the same.

146 Configuring Reports Configuring the "Report Generator" Dialog To create a report output file and launch an appropriate viewer for the file, click Generate Report located at the bottom of the

152 146 Configuring Reports Configuring the "Report Generator" Dialog To create a report output file and launch an appropriate viewer for the file, click Generate Report located at the bottom of the dialog. Normally, after a report is generated, the report dialog window will save its settings and close. To prevent the dialog from closing after completing the generation of a report, select the Do not close

153 Configuring Reports 147 dialog after report generation option. To save new dialog settings without generating a report, click the Save Settings button. To abort the report generation click Cancel. The Export Data Columns list shows the columns in the list for which the report is being generated (in this case, the managed set list in the main window). Change if a particular column will be exported by double-clicking on it. Check/un-check all columns by using the All and None buttons to the right of the list. Columns with an X to the left of the column will be exported. The Export Status Columns section will add a status column to the output that indicates the rows in the source list box that were highlighted (selected). If this option is selected, the generated report will have an additional column; the new column rows that were selected will be labeled Yes and rows that were not selected will be labeled No. The Limit Output to Rows with section will export only those rows that were highlighted in the previous list (requires the report to be run from a dialog with a list of items that are selectable). The No Column Headers option exports just the results without including the data column header titles. The File Name box shows the file name for the generated report. A valid output file for the report must exist, even if no action is taken based on the report. The extension of the file is automatically adjusted to be a valid extension based on the report type. The file extension can be overwritten in the file name box. The Report File Output Type defines the output type. There are four file types that the Report Generator can generate: Comma Delimited Column data is separated with a comma with the first row containing the column names. This can be read into a spreadsheet program, such as Microsoft Excel. Tab Delimited Similar to comma-delimited except tab characters are used instead of commas. Fixed Column Width Columns are space padded to the fixed width. Specify how wide (in characters) each column should be. This is useful for fixed size viewing and printing, and in some displays that may have limited space. Information that does not fit within the fixed size is truncated on generation. This format is useful for generating human readable output. HTML Customizable HTML reports.the HTML output in the HTML Edit Dialog (on page 150) may be edited. The Post-Generation Action section shows the actions to be taken after the output file is generated. Create File Only simply generates the output file.

154 148 Configuring Reports View or Print the report to invoke the View or Print shell actions on the resulting report file (the actual program invoked to view or print is dependent on shell settings for actions based on the extension of the report file). Choose Execute Program to execute an arbitrary program after the report is generated. Click the ellipses ( ) button to pull up the executable editing window. Choose to the resulting report file (inline or as an attachment). Click the ellipses ( ) button to pull up the Configuring Server Settings (on page 152). If the Show Dialog on Success option is selected, the program will display a dialog box when the report action is complete. (This may be useful if the action produces no visible feedback itself.) The program will always show a dialog box if an error occurs during the report generation/action. The Title field allows editing the title of the report. This is only valid for HTML reports. The Edit setting generates a window that allows the addition of replaceable report-specific variables to the report title.

155 Configuring Reports REPORT FILE OUTPUT TYPE There are four file types that the Report Generator can generate: Comma Delimited - Column data is separated with a comma with the first row containing the column names. This can be read into a spreadsheet such as Excel. Tab Delimited - Similar to comma delimited except tab characters are used rather than commas. Fixed Column Width - Specify how wide each column is in characters. This is useful for fixed size viewing, printing, and some displays that may have limited space. Information that does not fit within the fixed size is truncated on generation. This format is useful for generating human readable output. HTML - Customizable HTML reports.

150 Configuring Reports 9.1.1 HTML Edit Dialog Configure the HTML report output in the "Edit" dialog.

156 150 Configuring Reports HTML Edit Dialog Configure the HTML report output in the "Edit" dialog. The HTML output template is set to the default template the first time the report generator is run. It is always possible to revert to the default template by pressing the Default button. It is possible to create many template files for HTML reports. Use the file name editor to select which template file is currently being editing. The file menu allows opening or saving templates. The current template file is shown in the template editing window and can be edited directly. Alternatively, the template may be edited outside of the program by any other HTML editor.

157 Configuring Reports 151 The top of the edit window shows the variables that can be used in the report that will be automatically populated with data specific to the actual report being generated. These variables can be inserted into the template file at the current cursor position by using the Insert button, double-clicking the variable that should be inserted, or simply entering the variable name directly into the template. The look of the generated report data is controlled by several CSS style elements. The default template has default styles for these elements and these styles can be edited. The look of the report title elements is set directly in the HTML (which can also be modified). 9.2 POST-GENERATION ACTION The Report Generator allows can perform actions when the generation of the report is complete. The following options are currently available: CREATE FILE ONLY - Only create the file. VIEW - View the file using the default shell viewer based on the file extension. PRINT - Generate the report and use the default shell printing application based on the report file extension. EXECUTE PROGRAM - Allows specifying a program to be run upon the completion of report file generation. With this option, specify the path to the program and any additional command line arguments to run with the program with. - the report file in the body of an or as an attachment. Specify a list of address to send the report to and append a custom subject line to the report.

158 152 Configuring Reports 9.3 CONFIGURING SERVER SETTINGS settings are found at Settings > Settings. This product can send via SMTP for reporting and alerting purposes. Access to an SMTP server is required. This topic documents how to configure the "SMTP Settings" dialog.

159 Configuring Reports SMTP Settings: General Use the General tab to configure settings for sending SMTP messages, including sender information; priority, sensitivity, and importance settings; and custom message headers.

160 154 Configuring Reports Profile Profile Name While multiple profiles may be created, only one may be used. The default profile name is called Default. Description - Text field that may be edited and used to enter a short note or description regarding the profile. Sender Information This information is sent with each in its header and will appear when the recipient reads the mail. Some servers will reject messages that lack the proper address information for these fields (i.e. wrong domain name). Name - The friendly name of the sender. Organization - Enter the name of your organization. Sender - Enter an address that tells the recipient who this is message is "From". Reply-to - If a user replied to the , this is the address the will be sent back "To". Read Receipts - Optional. Enter the address that a read receipt should be sent to. Adds the Disposition-Notification-To header field to the message. The read receipt is a request for the receiving client to send a delivery status notification as soon as the person opens the . If the reader approves the read receipt be returned, the reader's client will send a reply to the reply-to address specified in the profile settings. Return Receipt To - Optional. Enter the address that a delivery receipt for the message should be sent to. Adds the Return-Receipt-To header field to the message. The delivery receipt is a request for the receiving mail server to send a delivery status notification as soon as it receives the . Priority / Sensitivity / Importance (Optional) For each property, select the value that should be applied to messages sent by this product. How these settings are processed depends on the client application that receives the . For example, in Microsoft Outlook, a message with a Priority setting of Urgent displays with an exclamation mark (!) next to the message. Advanced Message Settings This section should not be confused with subject lines. Do not enter any information in these fields if you are not comfortable writing customer MIME headers for . Use this section to enter

161 Configuring Reports 155 a custom message header (MIME header) to be included in all messages. Message headers are special text added to the message before the body of the message appears. Leave this section blank if special headers are not needed. Name - The attribute name to include in the message header. Value - The attribute value to include in the message header.

156 Configuring Reports 9.3.2 SMTP Settings: SMTP Logging Use the SMTP Logging tab to configure logging options for SMTP email.

162 156 Configuring Reports SMTP Settings: SMTP Logging Use the SMTP Logging tab to configure logging options for SMTP . Communication transaction details are logged as SMTP operations are performed. These options are useful for debugging problems with SMTP traffic.

163 Configuring Reports 157 Enable Event Log Logging Select this option if the solution should write SMTP log events to the Windows event log. Enable SMTP File Logging Select this option if the solution should write SMTP application log events to a text file. Configure the following setting if Enable SMTP File Logging is enabled: Log File Name Provide the path to the.txt file where SMTP events should be logged.

164 158 Configuring Reports SMTP Settings: Outgoing Server Use the Outgoing Server tab to configure SMTP server settings.

165 Configuring Reports 159 Outgoing SMTP Server Settings How you configure these settings will depend on how your SMTP server is configured. Outgoing SMTP Server Name Enter the DNS name or IP address of the server. Port Port 25 is standard for . For SSL/TLS Encrypted it may be port 25 or port 465 or 587. Default (Button) Resets the port number value to port 25. Server Timeout The default value of 30 seconds work in most cases. Increase this time if necessary. Authentication Method Choose the authentication option that your SMTP server is configured to use. Incorrect method settings can prevent connectivity with a mail server even when the credentials are correct. USER_PASSWORD - basic username and password as spelled out in the Server Authentication section. CRAMMD5 - challenge-response authentication mechanism protects the password in transit. NTLM - NTLM challenge-response authentication to server which never actually sends a user password. SASLPLAIN - challenge-response authentication that does not protect the password in transit. KERBEROS - Kerberos authentication with the server. XOAUTH2 - Use XOAUTH2 method to authenticate to the server. This will also require configuration of the OAUTH2 Authentication tab. SSL/TLS Channel Encryption If using SSL/TLS encryption, choose the option that your SMTP server is configured to use. AUTOMATIC - negotiate with the server to find a supported SSL/TLS or plain text method. Not all servers support negotiation. IMPLICIT - the mail server expects the initial connection to already be encrypted. EXPLICIT - the mail server does not require the initial connection be made with SSL/TLS but may use SSL/TLS after the connection is initiated. NONE - use when automatic negotiation does not work and SSL/TLS is not configured on the server.

166 160 Configuring Reports Server Authentication Use Authentication Credentials Select this option if your SMTP server requires authentication; otherwise, clear it to use Anonymous authentication. The following settings are required if Use Authentication Credentials is enabled. User Name The user name configured to authenticate to the SMTP server. Password The password required to authenticate to the SMTP server. Server SSL Settings Use SSL Client Certificate Authentication Select this option if your SMTP server is configured to use SSL encryption. SSL encryption allows both logon credentials and data to be encrypted during the SMTP transaction. The server must be already set up to use SSL encryption for this option to work. Test the SSL functionality with an client to confirm that all SSL components are configured correctly, The following settings are required if Use SSL Client Certificate Authentication is enabled. Choose one of the following options: User Certificate File Enter the path to the security certificate file. User Authentication Certificate Store Enter the path to the certificate store if one is configured. User Certificate Password If required, enter the password that further secures the certificate file. Enable Cached Certificate Select to allow caching of the certificate information. Test Options Test Connection Click to verify connectivity to the SMTP server and that the server accepts the configured credentials. This feature completes the handshake with the server to test that mail can be sent, but it does not send mail. The program log records the transaction details: SetMailServer error: 11001, [11001] Host not found Failed to fill SMTP settings Failed to send message error: Host not found. Send Test Sends a test message.

167 Configuring Reports 161

168

169 163 Chapter 10 Processing Deferred This program provides the ability to schedule operations to occur in the future and/or on a recurring basis. Another very handy feature is the ability of the program to retry all machines that are found to be off-line or return errors. These features come under the heading of "deferred processing". The job process is handled by a service that runs on the host system. The service runs under an administrator level account due to the accesses required on target systems. It is best to use a domain administrator account for this service given that it will be accessing many if not all systems in the network. The program periodically (default is 6 seconds) checks for any jobs that need action as well as if any retry jobs are ready to be tried again. This service is also responsible for scheduling the re-scan of dynamic system sets. The job dispatching works as a queue, so older jobs will always run before newer jobs if more than one job should be dispatched. Only one deferred job will run at a time. Install and start the deferred processing service to permit any deferred processing to take place. The setup and management of the deferred processing service is handled through the Jobs Monitor dialog. The Jobs Monitor dialog can be launched either from the main program dialog or from the systems list dialog. The jobs monitor shows the current jobs; get more details on any job by double-clicking on it. These jobs may be edited, deleted, restarted or paused. The scheduler job log can also be viewed, printed, or erased. The retry policy (wait between retries, which errors to ignore, etc.) can also be set form this dialog. Use the Components option to determine the properties of the installed components. Note: If the system that is running the deferred processing service is restarted, make sure that the scheduler is restarted when the system comes back up.

170 164 Deferred Processing IN THIS CHAPTER Scheduling Options Jobs Monitor Dialog Jobs Monitor Menu Items Editing a Job Job Scheduler Service Installation Job Scheduler Log File Dialog Job Scheduling Check Interval SCHEDULING OPTIONS The various product operations provide a Schedule feature which allows specification of when the operations should be performed. This can be used to schedule operations to be performed at a later time or to run operations periodically.

Deferred Processing 165 Shown below is the Job Scheduler dialog. The purpose of the job scheduler is to run a task at some time in the future, or to run at regular intervals in the future.

171 Deferred Processing 165 Shown below is the Job Scheduler dialog. The purpose of the job scheduler is to run a task at some time in the future, or to run at regular intervals in the future. This dialog allows configuring when and how the job should run. It will also allow taking actions to send a Wake on LAN packet prior to the job, or delete the job after its last completion. The job can be set to Run now, which will cause it to be run through the deferred processor by scheduling the job to happen immediately once and then be rescheduled according to its settings. Scheduled jobs will not run if the deferred processing service has been stopped. If

172 166 Deferred Processing the scheduling service is stopped and started later when many jobs are past overdue, the scheduler service will attempt to start each job in order, one at a time. The top drop down box specifies how often the task should be run and the bottom box specifies the exact time(s). There is also an optional comment field to record notes associates with the specific job. A job can be set to be deleted when it is complete. Wake on LAN packets may be sent before performing a job, just to make sure the target computer is on. The panel on the right shows which operation are being scheduled. Note: For jobs scheduled on all machines in a dynamic set, a dynamic set update is performed just before the job is run. This allows setting up jobs to run on all systems in the set without having to worry about forcing the dynamic set to be current.

Deferred Processing 167 10.2 JOBS MONITOR DIALOG Shown Below is the Jobs Monitor dialog.

173 Deferred Processing JOBS MONITOR DIALOG Shown Below is the Jobs Monitor dialog. The Job Monitor allows viewing and managing jobs that have not yet completed or jobs that are set to run in the future. The Jobs Monitor will also show the status of any jobs that have failed and are being retried. The top list shows the current list of jobs and each job's status. In the dialog shown, there are currently no pending jobs. The columns of the list show the job type, the number of machines the

174 168 Deferred Processing job was originally run on (and the number remaining to complete), the current state of the job, the number of retries attempted, the time and result of the last run, the time of the next attempt, and the status of the job. The middle section of this window has three parts. On the top left, there is a section which shows the status of the scheduler service. From here, it is possible to adjust the scheduler service state (and the Job Scheduler Service Installation (on page 174)), the sleep time between runs, and the general Retry Settings Dialog. If the service is running, the numbers in the countdown box will count down to 0. The top right box has controls for manipulating the jobs. Edit Job Properties, pause and resume jobs, delete jobs from the list, or restart jobs from here. The bottom section has controls for the Job Scheduler Log File Dialog (on page 174). Adjust the log file name and location, as well as view and erase the log from here. Note: the scheduler s log file contains entries for the scheduler service operation; entries related to specific jobs are contained in the specific job s log file. Access these log files by editing the particular job. The top list box provides summary information about all of the pending and completed jobs. The entire dialog may be resized or any column may be resized by using the mouse to drag the right border of any column heading. Note: that some of the columns appear to be truncated. This was done on purpose to display the most important information on each line, yet allow the option of opening up partial columns that may contain infrequently used information. The function of each column is described below: JOBID is the number of each job. The numbers start at and go up to FFFFFFFF counting in hexadecimal (0-9, then A-F before carrying to the next digit). COMMENT is an optional comment which can be given each job. This column has been intentionally narrowed to provide enough space for other columns. The column can be resized by dragging the right side of the column to the right. ACTION is the type of job. This will normally correspond to Get, Set, Replace etc. SYSCNT/TODO provides a count of the number of system in the job and the count of systems yet to be processed.

175 Deferred Processing 169 STATE shows the sate of the job. Jobs can be scheduled for a run (sked), retrying (retry), completed (done) and a few other states. RETRIES shows how many times this job had to be restarted to handle a returned error. If any part of a job fails, the entire job is re-run. LAST RUN shows the date and time of the last run of the job. This is useful when tracking jobs that are retrying. LAST ELAPSED shows the amount of time it took for Lieberman RED Services Management to complete the last task. RTNERR shows the last returned error code number. Successful jobs always return zero (0) if there were not errors. Ignore certain errors by using the "Retry" dialog to edit the ignore errors list. NEXT RUN shows when the job is scheduled to next run again. STATUS shows the current return status message for the job. Get more details by double-clicking on any job to get detailed information on any system or service in the job JOBS MONITOR MENU ITEMS FILE Log - Set up, view or print the log file of all the program's activities. JOB View/Edit Details - Edit selected job(s). Restart - Restart the selected job(s). Pause - Pause the selected job(s). Delete - Delete the selected job(s). Retry Policy - Open up and edit the Retry Policy. SCHEDULER SERVICE Configure - Open up and configure the scheduler service. Sleep Time - Set up the sleep time between checks for scheduled services. COMPONENTS View Components - View components that are used by this program. HELP

176 170 Deferred Processing Contents - Opens this file EDITING A JOB You can view/edit any job by either double-clicking on the job entry, or by highlighting an entry and clicking on the EDIT button in the Job Monitor. IMPORTANT DETAIL: If you click on the CANCEL button after viewing a job, no change will be made to a job. If you click on the OK button, the job will be immediately rescheduled to run according to it's scheduling settings. Shown below is the Edit Job dialogue. At the top of the dialogue you will see the name of the job. You will also see three tabbed pages: Job Systems This is the screen shown below. This page shows the list of systems managed by this job. Use the Add and remove buttons to add and remove systems from this job. When you add systems to a job, you can add any system that is in any managed group that is not already part of this job.

177 Deferred Processing 171

172 Deferred Processing Schedule Job Shows when the job is to be run and allows you to modify the running criteria. The "How often should this job run?

178 172 Deferred Processing Schedule Job Shows when the job is to be run and allows you to modify the running criteria. The "How often should this job run?" determines how often and when this job should be run. The options are: One-Shot (meaning just once), disabled, hourly, days of the week, monthly, or yearly. Delete job on completion will remove the job from the job list upon completion. The Scheduled Run Time box will allow you to set the time you want to run the job. The job comment text field allows you to give each job a comment that appears in the Job Monitor dialogue. This is the standard scheduling options page for all scheduled operations.

179 Deferred Processing 173 Job Log Displays the detailed log information regarding this job. You can also view the same file using Windows built-in text editor application (via "View Log File" button) as well as print the file (via "Print Log File" button). The file size is displayed and the file can be deleted if desired. This log file will contain any job specific error messages related to the execution of this job. It will show when the job ran, who started it, and status messages indicating what it is doing and how long it took to complete. This log will also contain any error messages that occur while the job was running.

174 Deferred Processing 10.5 JOB SCHEDULER SERVICE INSTALLATION Shown below is the Scheduler Service Installation dialog: The status display shows the current status of the scheduler service.

180 174 Deferred Processing 10.5 JOB SCHEDULER SERVICE INSTALLATION Shown below is the Scheduler Service Installation dialog: The status display shows the current status of the scheduler service. Use the refresh button to cause the program to query for the status manually. The start and stop buttons control the startup and shutdown of the service. The path to the scheduler service may be changed from this dialog. Before the service can run, it needs to be installed. When installing the service, the installation dialog will prompt for the account to run the service under. To later remove the service, use the Remove button. Note: The account the service runs as will be granted the necessary rights to run as a service if it does not already have these rights. The relevant rights are Log On as a Service. Remove will not revoke any rights which are granted as a result of this operation. When installing the service, it will be installed as a regular service on the host machine under the name of this application. The service can also be configured via the Service Configuration control. To reconfigure the service through the tools dialogs, first remove the service, and then use install. At this time, reconfigure is functionally equivalent to install JOB SCHEDULER LOG FILE DIALOG The Job Scheduler Log File dialog is shown below. This can be accessed through the File menu in the Job Scheduler dialog. This dialog allows the user to view the log file in a text editor, print the log file, or delete the log file. It also displays the size and location of the log file.

Deferred Processing 175 The log file for the deferred processor service will contain messages related to the operation of the scheduling service.

For log information pertaining to a specific job, look into specific job log file by editing the job and browsing to the log tab. 10.

181 Deferred Processing 175 The log file for the deferred processor service will contain messages related to the operation of the scheduling service. It will show service startup, stop, and job dispatches as well as abnormal return codes from dispatched jobs. For log information pertaining to a specific job, look into specific job log file by editing the job and browsing to the log tab JOB SCHEDULING CHECK INTERVAL The job scheduler periodically checks all existing jobs to determine if it is now time to start their job. The period between polls is set in the Sleep Max field. Edit this time by clicking on the ellipses ( ) button to the right of the Sleep Max field. The default time is 60 seconds. Between checks, the scheduler is in a sleep state and will not dispatch jobs. Only one job will be dispatched at a time.

182

183 177 Chapter 11 Remote Control The remote control support allows integration with VNC and Terminal Services to provide remote control for systems. IN THIS CHAPTER Setting up VNCPass Open VNC Connection VNC Options Import Settings from a.rcm File Install/Remove VNC on System Start/Stop/Restart the VNC service Set VNC Password SETTING UP VNCPASS Before using VNC functionality, first download and install the open source VNCPass application from Lieberman Software's website at This separate application will allow getting and settings options for VNC. This application will also allow launching VNC and starting a logon session on a remote machine OPEN VNC CONNECTION This option will attempt to create a VNC connection with all selected systems. By default, the application will attempt to connect to the VNC service running on the remote machine. If the service cannot be found, it will attempt to copy the service to the remote machine, install the service, and start the service. The connection will then be retried. During this process, if required information cannot be found (such as a path to the service or any of the required files), a message box will be displayed to inform the user of the missing components. If copying VNC to a remote system, make sure to specify a logon password for the service. If the password is left blank, VNC will not allow connections using the logon password mechanism.

184 178 Remote Control Open VNC Connection also does not require knowing the password for the VNC installation on the target system. The VNC connection password can be gathered as part of the connection process. If a different version of VNC installed on the local system than the version that is running on the remote system, VNC may not be able to connect. The easiest way to get around this issue is to remove the remote version and push out the local version to remote systems when you attempt to make connections VNC OPTIONS To configure the VNC options, go to Remote Connections VNC VNC Options.This dialog is used to fill in the required information for pushing VNC to a remote system and connecting to it. These options are filled in automatically, but you may need to be adjusted. The case where this dialog will be necessary is if VNC has been installed and it cannot be found. In the previous case, Lieberman RED Systems Management will prompt to locate the required files when a VNC connection is attempted. In the dialog shown, the VNC Service Remote Push Settings section provides the location of the VNC service that will be copied to remote systems if VNC is not found. Along with the full path the service EXE file, also specify any files on which that service is dependent. These dependent files are filled in by default, but different instances of VNC which depends on different files. In all cases, default files must be located in the same directory as the service EXE file. If attempting to

185 Remote Control 179 add files to the list that are not in the same location, a warning will appear and then those files which cannot be found will be removed from the list of dependent files. The Local Viewer Settings is the full path to the client viewer used to connect to VNC on the remote systems. The VNC Session Password that is required in order for clients to open sessions with the VNC service. By default, existing passwords will not be overwritten when connecting to pre-existing instances of VNC on remote systems, this password is used when copying the service to a system that does not already have it. It will still be possible to access systems for which no password has been set as long as administrative access to that system is available. Select to use a fixed password or assign a random password to each instance of the VNC service. VNCPass provides a randomization of this password for increased security so that each system will receive a different random password for its VNC service. There is no need to know this VNC password because administrative access allows the process to retrieve it on demand. The Advanced button provides additional pages with more fields to fine tune: The installation parameters of the VNC service when pushing VNC out to remote systems. The VNC application settings that will be applied to new installs of the VNC client. Actions to take before and/or after the VNC session, such as installation and removal or service start and stop. Additional viewer command line parameters or a customer viewer application path. Application specific VNC parameters for optimal use of different versions of VNC.

180 Remote Control VNC Service - This page allows configuring the service settings for copying to and installing the VNC service on remote systems.

186 180 Remote Control VNC Service - This page allows configuring the service settings for copying to and installing the VNC service on remote systems. The Remote Service Installation Settings all deal with copying the VNC service to the remote system if the service cannot be found. If Install Remote Service is unchecked, then VNC will not be installed on remote systems. The Service Short Name and Service Display Name fields are both used for installing the service on the remote system. The Service EXE Name field is the name of the executable file that will be copied to the remote systems and run as the VNC service. This field can be set manually or is set automatically when browsing to the file using the "Name and Path to

187 Remote Control 181 Service EXE" edit field. the remote system. The Service Startup Type options also deal with installing the service on Using the file list, specify any additional files the service EXE is dependent on to be copied along with the service. Finally, the Service Destination Location field specifies the remote folder to which the service EXE file and any dependent files will be copied to on the remote system. The Viewer Application Name and Location field refers to the path and name of the viewer application on the local system that will be used to make the connection to the service on the remote system.

182 Remote Control VNC Settings - This page allows setting the VNC options for new installs of the VNC service. options can also be used to overwrite the options for existing instances of VNC.

188 182 Remote Control VNC Settings - This page allows setting the VNC options for new installs of the VNC service. options can also be used to overwrite the options for existing instances of VNC. These The top options tune which events on the remote system cause the screen to redrawn. If Allow Socket Connections is un-checked, the VNC service on the remote machine will not allow clients to make socket connections. Configure which port the service uses for connections. The Connection Password Settings section controls the client connection password to the VNC service. This password must be entered in order to start a VNC session with a remote system. VNC does not allow blank passwords.

Remote Control 183 The Random Password option allows creating a secure, pseudo-random, un-typeable password for each installation of the VNC service on remote systems or create random passwords that

189 Remote Control 183 The Random Password option allows creating a secure, pseudo-random, un-typeable password for each installation of the VNC service on remote systems or create random passwords that can be entered via keyboard. Auto-Configuration - This page shows the options that can be taken before starting a VNC session and directly after ending a VNC session. The options at the top allows configuration of whether or not the VNC service will be copied out to remote systems, started before a connection is made, and stopped and/or removed after a session is ended.

190 184 Remote Control VNC Viewer - On this dialog, set the path to the VNC viewer application. This is the path on the local system that will be used to connect to the VNC service running on remote systems. Using this page, supply additional command line arguments to the viewer application on launch. These command line arguments will be used every time a VNC connection is opened from within our tool. Application Preferences - These settings customize how VNC interacts with specific applications on the remote system. These registry settings can be used to define custom behaviors for the VNC viewer client interacting with specific applications. For example, the VNC viewer normally hooks

Remote Control 185 the paint method, but for an application like the system clock, specify for the VNC viewer to refresh on the OnTimer call instead.

191 Remote Control 185 the paint method, but for an application like the system clock, specify for the VNC viewer to refresh on the OnTimer call instead. Some versions of VNC ship with registry files for specific application configuration. See the VNC documentation of the VNC distribution for more details about details of application preferences.

186 Remote Control 11.4 IMPORT SETTINGS FROM A.RCM FILE This option allows importing previous settings from a.rcm file. This format is used to store VNC connection settings.

192 186 Remote Control 11.4 IMPORT SETTINGS FROM A.RCM FILE This option allows importing previous settings from a.rcm file. This format is used to store VNC connection settings. Just browse to the file and VNC settings will be imported from the existing format. Check the settings using the VNC Options menu item INSTALL/REMOVE VNC ON SYSTEM These options allow installing or removing the VNC service from selected systems. If installing the service, the settings specified through VNC Options will be used to configure the service. If one or more required components cannot be found, a notification as to which components are missing will be displayed. Use the VNC Options Pages to locate these components. The default settings will assume default paths for a VNC install START/STOP/RESTART THE VNC SERVICE Start, stop, and restart the VNC service running on remote systems. This can be useful when changing the password or explicitly enabling or disabling VNC. Some changes to options in VNC require a restart of the VNC service to take effect (like changing passwords) SET VNC PASSWORD This dialog allows the password to be set for VNC services running on one or more systems at the same time.

193 Remote Control 187 First, select one or more target systems. Then go to RemoteConnection VNC Set VNC Password. Either supply a fixed password or choose to generate a random password for each instance of VNC. By default, the random passwords that are generated cannot be typed on a keyboard, which will prevent non-administrators from being able open a VNC session through the VNC client logon window. It is also possible to generate typeable passwords but un-typeable is the default for increased security. It will always be possible to open a VNC session on the system as long as credentials are supplied that are valid administrator credentials on that system (whether the password is typeable or not). A service must be restarted after updating a password. Choose to restart the VNC services after the password change, as the password change will not take effect until the service is restarted. Keep in mind that restarting the service will end any active sessions. Note: If supplying a blank password for VNC, VNC will not permit a connection. Depending on the version of VNC, it may use alternate methods to authenticate, but a blank password will not work. Specifying a blank password may also cause a failure when opening a VNC connection to a remote system.

194

195 189 Chapter 12 Settings Program This section discusses this product's various program settings. IN THIS CHAPTER General Options Logging Options Registration Dialog License Token Assignment About Logon Information Dialog

196 190 Program Settings 12.1 GENERAL OPTIONS Shown below is the General Options Dialog. These options are program-wide. Maximum Service Wait Time - The "Maximum Service Wait Time" controls how long the program will wait for a service to start or stop before giving up and moving on to other tasks. This is necessary to handle services that do not respond to service starts and stops in a timely manner. You can see the maximum time encountered for starts and stops in the adjoining "Service Start/Stop Statistics" section." If you are consistently exceeding the maximum time, you may want to increase this value to 60 seconds or more.

197 Program Settings 191 Threads - Windows has the ability to spawn off threads that allow concurrent activity to be performed in parallel. This feature allows you to take advantage of the large amounts of dead time waiting for the remote systems to respond. If you have a machine that has multiple processors, this software will use all of the available processors to speed up the work. The "Active Threads" field will constantly be changing when you are performing Gets and Sets. You know that all activity has completed by seeing the "Active Threads" field at the value of zero (0). You can increase the number of threads by using the spinner buttons on the right side of the "Max Threads" field. The default maximum number of available threads defaults to 100. The maximum number of threads value is used throughout the program. Processing Order Control - When performing changes on multiple services at the same time, the order of service modification via a Set operation can be critical. The need for ordered change is normally due to service dependencies. If you are going to be changing more than one service at a time, you must know the dependency order of all of the services to be changed. You can see the dependency order of any service by double clicking on the service after performing a Get operation on that service. If you attempt to make changes to more than one service, the change order will normally be alphabetical (no processing order list specified). When performing changes, RED Services Management examines the list of services to change (you can highlight them or select a server), resorts them according to the order you provide in the processing order list, and then append the remaining items (those not appearing in the processing order list) in alphabetical order to the end of the processing list. A series of "Move Entry" buttons are provided to allow you to reorder you processing order list. You need to first highlight an entry, and then use the Top, Up, Down, or Bottom entries to move that entry around. To support an instantaneous reversal of the entire list in one operation, an Invert Order button is provided. You can insert the entries from as many different services as you wish. If none of the services on the list matches the list of services to be changed, then the list is ignored. Note: the Processing Order must be set prior to any Set or Search and Replace operation. If any of the entries in a processing pass appears on the Processing Order list, an entry in the log is made indicating that reordering has been performed. Note: RED Services Management performs all operations using multiple threads. To support the sequential ordering of service changes, the program only dedicates one thread per system under management. The use of only one thread per system assures proper sequential changes while maintaining robust performance.

198 192 Program Settings Password Retrieval - One of the unique capabilities of this program is its ability to retrieve the password used by different services. This allows you to see which passwords are used by services and allows you to bring all passwords to a consistent value. Password retrieval is done every time a "Get" cycle is performed on a machine or a group of services. The process of retrieving the password information does not take much time on local machines, but can take an extended period of time when retrieving the information from machines on a slow WAN (Wide Area Network), for from machines connected via a link with long delays (packet latency). This check box allows you turn off password retrieval after you have the current password values. This will speed up service information retrieval dramatically. WARNING! If you make a change to a service password on one or more services and this check box is unchecked, the program will not show the correct password value. If you are changing password values, you MUST have this check box enabled. Log Path - This is the location of the log file. Service Start/Stop Statistics - The program will constantly monitor the time it takes for all starts and stops on all systems it manages. The maximum start and stop times as well as the machines and services that generated these statistics are recorded in this section. You can reset the statistics at any time by clicking on the "Clear Statistics" button. When Get/Set Completes - This set of check boxes controls the actions after the completion of a "Get" or "Set." Don t show Job Completed OK dialog - check box inhibits a pop-up of a success pop-up at the end of the job when everything worked fine. Don t show End of Job Errors dialog - pops up when some of the systems or services returned with errors. This dialog allows you to create a report of the errors as well as to retry all or some of the failed systems/services. If this option is disabled, the next two check boxes define the default action to perform automatically. Auto Retry All Failed Systems - will automatically create a job to periodically retry all failed systems. The "Auto Retry All Failed Services" will automatically create a job to periodically retry all failed services LOGGING OPTIONS Before using the product, examine the log file settings. The log file settings are found at Settings Logging Options.

199 Program Settings 193 By default, the log file will be created in the location recommended by Microsoft for application log files. It may be preferable to select an alternate location for log files, simply specify a new log file location/name using the ellipses button. There are two thresholds of logging available: extended and normal. The extended (verbose) mode includes normal log information as well as information on the internal phases the product goes though while performing changes and logging. In normal operation extended logging is not necessary. The extended logging information is useful for debugging should it become necessary. The log file is always appended too. It is always safe to read/copy the log file when changes are not in progress. Log Statistics - By checking the Log Statistics check box, the log will receive the pre and post transaction counts for managed items. This information will be logged to the log file. View - View the log in text editor. Print - Print the log file. Delete - Delete the log file. Log Size - Displays the current size of the log file in bytes. Windows Event Log - These options tell the program to also log to the computer's Application Event log. The remote computer is the computer that is being changed by the program and the local machine is the machine that the program is running on. The Windows Application

200 194 Program Settings Event Log is a record of program activity and can be useful in tracking operations performed by this tool which would reflect changes to the network configuration or security.

201 Program Settings REGISTRATION DIALOG Shown below is the Registration dialog. This dialog can be accessed through the Help menu in the main dialog (not the Manage Systems dialog). This dialog is also shown as a part of the installation process. The serial number entered is customized specifically to the machine that is running the software, not the machines being managed. The number of systems the license allows management of and the name of the system that is allowed to run this software is embedded in the serial number. If the software has been running in demo mode and a commercial license is purchased, send Lieberman Software the machine name (which is located on the About dialog screen). We use this to generate the appropriate serial number. If more systems must be managed or the tool needs to be moved to a machine with a different name, contact Lieberman Software for a new serial number.

202 196 Program Settings Use Remote License Multiple administrators can share a single license from multiple workstations or servers. This option does not share system set or system information (each system set and system information is maintained locally). General application data is also not shared. This essentially means that each instance of the install is a complete version which maintains its own separate program data. If needing to transfer set information from one instance of the tool to another, use the Import/Export Systems List (on page 41) features for system lists or use Import Settings to import program settings from a Remote Licensed Server if available. To enable the use of a shared license key, a commercial version of the software must be installed and accessible. Go to the registration screen and set the check box: Use Remote License. It is also possible to connect as an Administrator Accounts Editor (on page 142). Enter the name or browse to find the name of the machine that has the license. Enter the name of the licensed machine in the Remote Licensed Machine Name field. Finally, click on the OK button. Note: On the remote system, the provided credentials must have administrative credentials, otherwise remote licensing will not work. In order to continue using a remote license, the licensed system must always be online and accessible. IF PLANNING TO INSTALL THE SOFTWARE ON A LAPTOP OR MACHINES THAT CANNOT BE NETWORKED TOGETHER TO SHARE THE COMMERCIAL KEY, IT WILL BE NECESSARY TO OBTAIN A SEPARATE LICENSE KEY FOR EACH DISCONNECTED SYSTEM. Note: Remote Licensing will not function without a commercial key being installed on the licensing server LICENSE TOKEN ASSIGNMENT When a commercial version of the product is purchased, a serial number will be sent which will allow management of a fixed number of systems. This dialog shows which systems are licensed or not, and which systems are still found in any of the system sets or not. This dialog can be accessed by opening License Token Management from the Help menu of the main dialog.

Program Settings 197 License tokens are automatically assigned to systems when they are managed by performing actions such as running a report or changing a user's password.

203 Program Settings 197 License tokens are automatically assigned to systems when they are managed by performing actions such as running a report or changing a user's password. License tokens can also be manually assigned form the dialog by selecting the system and then clicking the Assign button. Simply refreshing system information does not cause a system to become licensed. License tokens are assigned to machine names. This means if a system is decommissioned and replaced with new hardware but the new system uses same name, it may use the same license; there is no reason to release and re-assign the license. In the systems list on this dialog, the Licensed column displays the current licensing status of a machine as either YES or NO. The #Rekeys column displays the number of times a machine has had its license released and re-assigned. The InAGroup column displays whether or not a system is found in any systems list as either Active if it is in a set, or Abandoned if it is not in any sets. As stated previously, if a machine is retired but it will be replaced by a new system with the same exact NetBIOS name, do not release the licensing. However, if that NetBIOS name will never be

204 198 Program Settings managed again and licenses need to be reclaimed, select those systems here and elect to release their license. Whenever a machine's token is released, the Rekeyed Systems counter will increment. If the token is re-assigned to same system name, the Rekeyed Systems field will decrement and the #Rekeys column for the given system will increment. If this process is repeated more times than the allowed number of Maximum Rekeys, the system will be Locked-Out of management. An easy way to find systems that you may wish to remove licenses from is to sort by the InAGroup column and look for systems that are abandoned. Abandoned systems are not found in any of the tool's systems list. IMPORTANT: License tokens are currently assigned for each unique system name in the System column of the main dialog. If the same system is listed multiple times by different names (i.e.: by NetBIOS name and by IP Address), you may inadvertently use multiple tokens for the same system. To ensure that this does not happen, be sure to use the following steps when adding systems using multiple naming conventions: 1) Add the systems to the set. 2) Select all the systems, then select the Refresh Info (Get Role/Version) operation (this does not cause systems to be licensed). 3) From the main dialog's SystemsList menu, select Remove Duplicate Systems. Export the list of licensed systems by clicking the Export button and using the product's built-in Configuring Reports (on page 145).

Program Settings 199 12.5 ABOUT This dialog contains version information and your specific licensing information based on your serial number.

205 Program Settings ABOUT This dialog contains version information and your specific licensing information based on your serial number. If this is an evaluation, you can get your NetBIOS Computer Name from this screen. After you purchase Service Account Manager and use the Register dialog to update your serial number, this screen will be updated to show your purchased licensing information. If the information on this screen does not conform to what you ordered, please contact Lieberman Software immediately for a corrected key.

200 Program Settings 12.6 LOGON INFORMATION DIALOG The Logon information shows the current logon credentials and program environment variables.

206 200 Program Settings 12.6 LOGON INFORMATION DIALOG The Logon information shows the current logon credentials and program environment variables. These current logon credentials can be supplemented using the Administrator Accounts Editor (on page 142) feature to perform operations within the product. Shown below is the Logon Information dialog. USER NAME - The current user's login name. SYSTEM NAME - The name of this system. ROLE - The role of this system. LOGON DOMAIN - The name of the domain that this machine is logged into.

Application Launcher & Session Recording

Installation and Configuration Guide Application Launcher & Session Recording 5.5.3.0 Copyright 2003 2017 Lieberman Software Corporation. All rights reserved. The software contains proprietary information