Blogs

Meet the new PACE Suite 4.5, application packaging and virtualization tool

We have just released our new PACE Suite 4.5 and we can't wait to tell you all about it! Read the full announcement. Meanwhile, here are the highlights of our new release:

  • New "Add Driver" Wizard and Drivers tab. You can now add and manage Device Drivers.
  • “Add Custom Action” Wizard. Our smart Wizard guides PACE Suite users through the creation of custom actions, dramatically speeding up the whole process and helping to ensure the custom action will work.
  • Completely redesigned Custom Actions tab. The redesigned tab provides a wide variety of information and makes it easier to manage custom and standard actions.


Your feedback or feature suggestions are most welcome!


Be the first to comment

Creating Complex Boolean LDAP Filters

I'm writing this post because I haven't seen this discussed in ITNinja and it's therapeutic for me to write about the trauma I just experienced getting this filter to execute correctly.

To say our AD is convoluted would be a mild understatement.  As such, it's very difficult to keep unwanted objects like service accounts out of our Kace user population.  Recently we added a new Kace Organization so our legal department could have a service desk.  Their user population is a small subset of the company, so I wanted to restrict which objects LDAP pulls in without forcing my service desk to manually maintain the user list.

The criteria included managers in two specific departments in two geographies, managers in a third department in one geography, all members of the legal department, and one individual who could not otherwise be filtered.

I used a series of nested Ors and Ands to make this work.

Here's how it works conceptually

If this is true (samaccountName={USERID of the individual}) 
or if this is true ( and both the following are true (samaccountname=KBOX_USER)(memberOf=CN=Dept_Legal,CN=Groups,OU=Legal,DC=our_co,DC=com)) {Anyone in the Legal Dept Security Group}
or If this is true ( and both the following are true (samaccountName=KBOX_USER)(memberOf=CN=Dept_Marketing,CN=Groups,OU=Marketing,DC=our_co,DC=com)
    (and any of the following is also true (description=*Manager*)(description=*VP*)(description=*Director*)))

Here's the actual syntax minus the specifics for our domain.

And = &
Or = |

(|(samaccountName={USERID})(&(samaccountname=KBOX_USER)(memberOf=CN=Dept_Legal,CN=Groups,OU=Legal,DC=our_co,DC=com))(&(samaccountName=KBOX_USER)(memberOf=CN=Dept_Marketing,CN=Groups,OU=Marketing,DC=our_co,DC=com)(|(description=*Manager*)(description=*VP*)(description=*Director*))))

The actual filter is a bit more complex than this, but this shows all the variations that I used.  

If you have line breaks in the code or haven't nested your parenthetical statements correctly, your filter will fail.  For this reason, I use an advanced text editor (Notepad++, in my case) to help me ensure that all my parentheses are matched up.

I also recommend using ADUC or Windows Directory Service tools like DSQuery OU and DSQuery Group to ensure that you are copying the DN's correctly.

=======================================================================

NOTE (Updated 2/21/2018):

I had to open a ticket with Quest.  While my filter pulled in all the users I need, they could not authenticate.  As stated above, my filter was more complex than what is shown here, so you might be able to get this to work with a simpler filter, but the short version is that Kace's implementation of LDAP will import the users but won't work for actually signing in (at least at my level of complexity).  I ended up creating a security group to pull in only the users I need, which is unfortunate because that solution is static; the solution above is dynamic.
Be the first to comment

[Report] All computers with a smartcard reader

Hi everyone, and sorry for my bad english :)

Recently i developed a method that extract all the pc in K1000 inventory that has a smart card reader and i've published it on GitHub.
We use a script, a custom invetory rule and finally we generate the report. 

How it works

  1. The vbs script executes a WMI query over the target device(s) and saves an output file named smartcard.txt (see below in the Setup section)
  2. The vbs script is scheduled and deployed to the target device(s) via K1000 Online KScript
  3. A K1000 Custom Inventory Rule reads the output file for every inventoried device and stores the information in the database
  4. A scheduled Report (choose your favorite format between HTML, CSV, PDF or Excel) returns only PCs with a smart card reader installed

Setup

The KScript

  1. Edit the script line 4 with the path where you want to save the output file. In our environment every PC has a “C:\Tools”directory for service purpose, so I decided to save the output there.
Set f = log.CreateTextFile("C:\Tools\smartcard.txt", 2)
  1. Go to your K1000 Dashboard, then go to Scripting and create a New Script (Choose Action / New)

  2. Name the script as your wish (for example: Check Smart Card Reader) and follow these steps:

Script Basic Settings

  • Type: Online KScript
  • Enabled: Yes
  • Deploy: one or some devices, all devices or to a Device Label, according to your needs in your environment
  • Windows Run As: Local System
  • Upload the smartcard.vbs as New Dependecy

Tasks

We want the script to run once in every PC, so we'll use a “checkmark” (the smartcard.txt) to verify that...

  • Verify: Verify a file exists...
    • C:\Tools\smartcard.txt
  • Remediation: Launch a program...
    • Directory: $(KACE_SYS_DIR)
    • File: cscript.exe $(KACE_DEPENDENCY_DIR)\smartcard.vbs
    • Wait for completion: Yes
  • On Remediation Success: Upload a file... (note: this step is not necessary and only for archiving purpose)
    • Directory: C:\Tools
    • File: smartcard.txt

...and Save your brand new script.

cIpcrH.png

The Custom Inventory Rule

  1. In the K100 Dashboard, now go to Inventory section, then go to Software and create a new Software entry (Choose Action / New)

  2. Name the rule as your wish (for example: IT Dep — Check Smart Card Reader) and follow these steps:

  • Publisher: IT Department (it's useful for further searches into the Software Inventory)
  • Supported Operating Systems: All the Windows OSs in your Inventory
  • Custom Inventory Rule: ShellCommandTextReturn(cmd /c type C:\Tools\smartcard.txt)

...and Save your new Custom Inventory Rule.

Rqposa.png

Now we need all our devices complete their inventory. The new Custom Inventory Rule creates a new entry in every device record managed by the K1000.

If a smart card reader has been discovered we'll have at least one “DeviceClass: SMARTCARDREADER” text iside the Custom Inventory Fields section into every device record in Inventory / Devices

Screenhot 3

Otherwise, if a smart card reader has not been discovered, we'll have no text

When all your devices has been inventoried and you're ready, jump to the next section

The Report

In the K100 Dashboard, now go to Reporting section, then in Reports and create a new Report (Choose Action / New)

Name the Report as your wish (for example: PCs with Smart Card Reader) and follow these steps:

Title and Topic

  • Category: Inventory
  • Topic: Device

Fields to Display

  • Device: System Name
  • Operating System Info: Name
  • User Information: User Name
  • Manufacturer and BIOS: System Model

Feel free to add and modify any other field, according to your needings.

Filters

Delete the default filter and create this:

Filter

Save your new report and try it.


Be the first to comment

Get Ready for GDPR Compliance

GDPR Compliance is Required by May, 2018 - Are You Ready?

GDPR is coming and it affects everyone. The fines for non-compliance are brutal.  Learn more about it from this wiki page and/or download the PDF datasheet:

Be the first to comment

Disable "Windows Welcome Experience" dialog during OS deployments

Recently I talked with Timokirch about a cosmetic issue when deploying new Windows 10 boxes with Quest KACE SDA/K2000:

Since the Windows 10 Creators Update (1703) a user is shown a pop up "Windows Welcome Experience"-window when she/he logs in for the first time (so when there is no user profile present yet).

This should not have any functional impact when deploying a new Windows 10 computer, but it hides other windows like the KACE SDA progress screen:



The ways of disabling this dialog are well documented here https://winaero.com/blog/disable-welcome-page-windows-10/ and here https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight
I will focus on the way by setting the registry value of "SubscribedContent-310093Enabled" in the key "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" to 0.
This works well but if you want to disable that for the very first user login like for the KACE SDA post installation sequence user account that is used during OS deployment, you need to set this before any user logs on at all: before the first boot of Windows.

You can disable the "Windows Welcome Experience"-window by setting the mentioned registry value in the default user profile. The default users registry is completely stored in the file NTUSER.DAT that is normally located in C:\Users\Default\ in standard Windows setups.
Nevertheless, you can also apply this to your running PCs as well, not only in OS deployment.

In your KACE SDA/K2000 create a new midlevel task, this runs in KBE/WinPE mode after Windows setup or image application but before the reboot of the machine into the freshly installed Windows.

  1. Go to your library and create a new Post installation task of type "BAT Script".

  2. Be sure you switch the Runtime Environment to "SDA Boot Environment (Windows)".

  3. Enter this script in the "BAT Script" text box (you may need to alter the path to NTUSER.DAT if you have a different drive letter for Windows) :
    REG LOAD HKLM\TempHive "C:\Users\Default\NTUSER.DAT"
    REG ADD "HKLM\TempHive\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-310093Enabled /t REG_DWORD /d 00000000 /f
    REG UNLOAD HKLM\TempHive

  4. Do NOT check "Reboot required", save your work and implement this mid level task to your scripted installation or image deployment.
    It's OK to place it anywhere in the midlevel sequence.

Of course, this method may be used to configure any other registry setting inside the default users profile as well.

A big thanks to Timokirch for testing this!

If you have any questions just leave a comment below.

Be the first to comment
Showing 1 - 5 of 3160 results