System Center Configuration Manager (SCCM)
System Center Operations Manager (SCOM)
System Center Data Protection Manager (DPM)
System Center Virtual Machine Manager (SCVMM)
And some more...
All these products are bundled with an installation of msSQL standard.
And can share the same Microsoft database free from charge (you already paid for it).
Keep this in mind when you talk to your licensing department and/or counting SQL instances for billing.
System Center Essentials is not include in this rule!
Some Rules to follow
First thing is that the database cluster may not contain anything else but product of the Configuration suite.
Also a little database just for your own testing or in house made product, no go!
Second is that you use SQL standard, not enterprise or other...
Standard you can still make a passive failover.
Last one, do not put the DPM database there, not because of license.
But if your cluster fails, where are you going to recover from??? ;-)
For more info read here>>>
Here are a couple of scripts to help you along.
No Agent for Asset listing.
ORG1.ASSET.MAPPED_ID as "No Agent",
ORG1.ASSET_DATA_5.FIELD_10008 as "Status"
ORG1.ASSET_DATA_5 Inner Join
ORG1.ASSET On ORG1.ASSET.ASSET_DATA_ID = ORG1.ASSET_DATA_5.ID
ORG1.ASSET.MAPPED_ID = '0'
Find Dup's. Change ^^ with your asset number.
ORG1.ASSET Inner Join
ORG1.MACHINE On ORG1.ASSET.NAME = ORG1.MACHINE.NAME
(ORG1.ASSET.NAME Like '%^^') Or
(ORG1.ASSET.NAME Like '%^^') Or
(ORG1.ASSET.MAPPED_ID = '0')
Find certain departments using equipment. Change ^^ with department code.
ORG1.USER.CUSTOM_2 As 'Dept', <--- Remember I use CUSTOM_2 for department mapping for ldap yours might be different.
ORG1.ASSET_DATA_5.FIELD_10008 As 'Status',
ORG1.ASSET_DATA_5 Inner Join
ORG1.MACHINE On ORG1.MACHINE.BIOS_SERIAL_NUMBER = ORG1.ASSET_DATA_5.FIELD_89
ORG1.USER On ORG1.USER.USER_NAME = ORG1.MACHINE.USER_NAME
ORG1.USER.CUSTOM_2 Like '%^^%' <--- Remember I use CUSTOM_2 for department mapping for ldap yours might be different.
As I tour the world helping Active Directory administrators, security professionals and auditors secure their Windows environment, I often get questions about privileged access. The questions usually are about how privileges are granted and how can an organization know if privileges are correct? These are great questions considering the onset of so many attacks on Windows in the past 5 to 7 years. It is important to see that privileged access is usually at the core of these attacks.
There are many ways to grant privileges in a Windows environment. Granting privileges is rather easy. Reporting and analyzing the current privileged access can be a bit harder. There is not a centralized location that an administrator or auditor can go to see the current privileged access. Understanding the different technologies and features that grant privileged access is the first step. Then, for each area where privileges can be granted, there are five steps that should be accomplished to ensure ongoing privileged access security. Those steps include:
- Reporting on the current settings
- Analyzing the settings to understand who has privileged access
- Configuring the correct privileged access
- Monitoring for changes to privileged access
- Alerting, in real-time, for key privileged access changes
The technologies and features in a Windows environment that grant privileged access include:
- Group membership
- User rights
- Access control lists/Permissions
Depending on how the group is configured in the environment, it can have the highest level of privileges or just small amount of privileges. For example, the Domain Admins group has nearly the highest level of privileges within the entire Active Directory domain. Just by adding a user to this group grants this level of privilege. With groups, the most complex concept is to get the recursive group members. This would mean the users that are located in nested groups of the group.
There are plenty of reporting tools that can get group membership recursively. PowerShell by Microsoft and ADManager Plus by ManageEngine are two options.
User Rights control global access over different aspects of a domain controller, server, or workstation. User Rights are configured using Group Policy, giving granular control over each computer individually. Therefore, each computer could have a unique set of User Rights, making the reporting and configuration of these settings difficult and time consuming.
There is a built-in tool, secpol.msc, which can report the current User Rights on each computer. The tool must be run locally, but it is extremely powerful and gives the precise configurations. Since each User Right provides some level of privilege over the computer, each and every User Right should be evaluated and configured to meet the minimum requirements for the server access.
Access Control Lists
Controlling access to files and folders are essential for assuring security of data within any organization. The access control lists for your key data need to be configured properly and assured they only provide access to the appropriate people. The wrong privileges granted to a file or folder could severely hurt or even destroy a company.
Reporting on who has access to a file or folder is a monumental task, due to the volume of files and folders on a typical network. Therefore, selection of the most important data must occur, then those selected files and folders can be the focus of the security hardening. There are many tools that can help report on data access control lists, but if you do not want to purchase a tool you can always use the built-in xcacls.exe tool.
The concept of delegation falls under the category of access control lists, but is a specific term used for Active Directory and Group Policy management. Due to the complexity of Active Directory delegation, the configuration of the delegation is typically done through the Delegate Control Wizard. This wizard is located on the drop down menu for the domain node and each Organizational Unit in the Active Directory Users and Computers tool. The wizard defines which account (user or group) is granted a specific task. The most common tasks are resetting passwords for users and modifying group membership. Both of which has potential impressive security impact if the wrong account is granted the delegation.
The Delegate Control Wizard can only configure the delegations, it can’t report or remove delegations. Therefore, a different tool must be used for each task. The built-in dsacls.exe tool is ideal for reporting on delegations for each Active Directory node. As for modifications to existing delegations, that is typically left up to manual efforts performed on the Security tab located on the objects Property page.
Assuring that privileged access is understood, known, configured properly, and monitored is a huge step towards hardening security of your Windows environment. Without the correct reports, configurations or monitoring it is impossible to know what privileges are granted. Without the knowledge of privileged access you are leaving your organization open for an easy attack. However, with the correct tools in place to monitor and alert on changes to correct privileged access, there is little can sneak by you if an attack occurs.
I am stunned, given the robust way that the majority of MS tools which accept both command line and configuration file-driven arguments handle things, i.e. the command line overrides the configuration file, that the installer for SQL Server can be so spectacularly awful!
If you specify the '/Q' argument on the command line and your configuration file also contains an entry for 'UIMode', you will get this error:
Media ScenarioEngine.exe returned exit code: 0x858C001C
Crystal clear, right? Obscure text, meaningless error numbers...SMH...
Luckily, the log written to the bootstrap location (e.g. "C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\Log\Summary.txt") tells you what's happened:
The /UIMode setting cannot be used in conjunction with /Q or /QS
Also luckily, I always use the extracted MSIs to install this junk so am able to work around this nonsense but I just thought I might save some other poor soul the heartache and wasted hours trying to decipher what the Hell prevents it working.