Local Admins MOF - by Ward Lange

Local Admins MOF - by Ward Lange (Full Version)

All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003

Message

tmiller -> Local Admins MOF - by Ward Lange (6/7/2006 1:48:40 PM)
I have a question about the Local Admins MOF tool Ward Lange posted to MyITForum. The instructions say that the LocalAdmins.MOF file needs to be compiled on a local workstation. Does that mean that the LocalAdmins.MOF only needs to be compiled on a single SMS client once, or does the LocalAdmins.MOF need to be compiled on every client once, or does it need to be compiled on each client every time one wants to collect the current local admins? I’ve made lots of changes and redeploys of SMS_DEF.MOF, so I know that routine, but this additional MOF thrown into the mix troubles and confuses me.

gross928 -> RE: Local Admins MOF - by Ward Lange (6/7/2006 3:02:57 PM)
It only needs to be compiled once on every machine, I created a small wise exe that installs the file and then complies it after it has run. If you are interested in the exe let me know and I can send it to you. Thanks Gavin...

tmiller -> RE: RE: Local Admins MOF - by Ward Lange (6/7/2006 3:15:01 PM)
Cool. Thanks for responding. I will use a similar method as the one I use to distribute updated SMS_DEF.MOFs since it is the same process but with a modified target collection. That makes this method superior to the data-shift and mif-shift methods, I think. With those you have to continually run the VB scripts to keep the data up-to-date. Are there cons to this method - like a heavy burden on the Domain Controllers - or is the entire query done inside the client. I overheard some people talking about this at MMS and I wonder if it is dangerous in some way - or what pitfalls I need to watch out for. I wonder why the localadmins.mof information couldn' t just be added to the SMS_DEF.MOF along with the Reporting piece, since you have to distribute and compile the new SMS_DEF.MOF file anyway.

gross928 -> RE: Local Admins MOF - by Ward Lange (6/7/2006 3:33:41 PM)
This is how it works, the localadmins.mof is compiled on the clients which then creates the WMI class, you also have to add the localadmins-report.mof to the end of your sms_def.mof. Once the WMI class is created on the client it returns the results whenever you run your hardware inventory. What I have also done is created a report that shows me all the local admin accounts other than the ones that should be there. There is nothing else done on the clients other than the HW inventory. Not sure why it cant be added to the sms_def.mof... there must be some reason why not... might be worth trying in a test lab.

bcasler@hotmail.com -> RE: Local Admins MOF - by Ward Lange (5/31/2007 10:22:09 AM)
so how on every 2003 machine can i replace 'BUILTIN' witht hes server name?

skissinger -> RE: Local Admins MOF - by Ward Lange (5/31/2007 10:55:59 AM)
There is a sample report here for Ward Lange's mof extension.

bcasler@hotmail.com -> RE: Local Admins MOF - by Ward Lange (5/31/2007 11:08:48 AM)
Yes I have seen that and have the files but how do I compile it for every 2003 machine (having to replace 'BULTIN' reference) without having to manually compile it on every machine

skissinger -> RE: Local Admins MOF - by Ward Lange (5/31/2007 1:10:36 PM)
Is this one of the first times you've extended the MOF? If so, a quick (and extremely brief) lesson on extending the Hardware Inventory mof... SMS Clients get the default sms_def.mof by installing the Client itself. If you want to gather additional information (not just changing FALSE to TRUE or TRUE to FALSE on existing definitions), then each client need to 'mofcomp' the additional/new classes. There are a few articles out there on automating the process; but the end result is that on each client, somehow the command of mofcomp file_with_the_new_classes.mof has to be run, before the client can successfully report on new classes you've added to sms_def.mof on your primary site's \inboxes\clifiles.src\hinv folder. Let me know if I've completely missed your point, or if you need additional step-by-step "how to extend the mof" instructions. There's also an e-book you can get at www.smsexpert.com regarding MOF editing.

bcasler@hotmail.com -> RE: Local Admins MOF - by Ward Lange (5/31/2007 1:28:49 PM)
I understand each machine must compile it to add the class to the local WMI BUT my question was in his script he had given (Ward Lange) you had to replace the reference 'builtin' in the loacaladmin.mof with the actual name of the 2003 server it is compiled on. My questions was how to automate feeding the server name to the localadmins.mof before compiling it (presumably as an advertised package) And yes if is my first time so be gentle, I will follow up on the references you have mentioned

mlucero -> RE: Local Admins MOF - by Ward Lange (5/31/2007 2:20:19 PM)
"BUILTIN" is merely referring to the built-in local group named "administrators" on each machine on which you compile the MOF adjustment. You do not need to replace it with anything. When compiling locally, the "domain" is the local machine. Leave the MOF adjustment as is and compile it on your client machines. Also, no need to make a script or anything to run it. Just create a package with the LocalAdmins.MOF file and use the following command: MOFCOMP LocalAdmins.MOF MOFCOMP.exe is located in the %windir%\system32\wbem directory and is built into the defaults paths.

bcasler@hotmail.com -> RE: Local Admins MOF - by Ward Lange (5/31/2007 2:23:56 PM)
his instructions in the read me say you need to change it on 2003 machines, I will test it out Oh and thank you for your help +---------------------------------+ ¦ Local Admins MOF ¦ ¦ Created by Ward Lange ¦ ¦ 3/4/2006 ¦ ¦ Ward.lange@sanofi-aventis.com ¦ +---------------------------------+ I - Purpose The MOF files included in this zip file will create a WMI class called Win32_LocalAdmins and will allow that information to be collected by SMS 2003. The class is located in the Root\CIMV2 namespace in WMI and you can use WBEMTEST or WMITools to view the information created. II - Applying the MOF files The LocalAdmins.MOF file needs to be compiled on a local workstation to create the class. You can do this manually or through an SMS delivery by creating a package and program to run the command: MOFCOMP LocalAdmins.MOF The LocalAdmins-Report.MOF needs to be added to the end of the SMS_DEF.MOF file on the SMS 2003 Server located at the \sms_\inboxes\clifiles.src\hinv">\\<server>\sms_<site>\inboxes\clifiles.src\hinv directory on the site server. YOu an monitor the DataLdr.log file on the server to ensure the SMS_DEF.MOF changes are applied correctly. III - Windows 2003 Systems The LocalAdmins.MOF will not compile the same way on Windows 2003 server machines. You must replace the text "BuiltIn" with the actual server name of the server where the MOF is being compiled on. Otherwise the class will not be populated with any data. The MOF file compiles fine on Windows 2000 and XP machines without modification. IV - Warranty Use at your own risk and test the results prior to deployment.

mlucero -> RE: Local Admins MOF - by Ward Lange (5/31/2007 2:36:48 PM)
I see your dilemma. Unfortunately, I do not have a method off the top of my head for this as we do not manage servers with SMS in our environment... there is a different system in place for them. I'd be interested in this solution myself in the case we eventually do manage server class machines with SMS.

Tom_Watson -> RE: Local Admins MOF - by Ward Lange (3/26/2008 6:02:09 AM)
If you can get a copy of a Windows equivalent to 'sed' you could script something like:- sed.exe s/BUILTIN/%COMPUTERNAME%/g LocalAdmins.MOF > %TEMP%\LocalAdmins-2003.MOF MOFCOMP.EXE %TEMP%\LocalAdmins-2003.MOF You can Google for Windows SED variants. One such page gave me http://sed.sourceforge.net which had several links for Windows SED variants. I tried the one at http://sed.sf.net/grabbag/ssed/sed-3.59.zip and it seemed to work OK. I guess you'd have to test this out thoroughly though. EDIT: Mark Seely has a nice VBS script that will do the trick here - http://www.myitforum.com/forums/m_179546/mpage_1/key_/tm.htm#179659

jkuta -> RE: Local Admins MOF - by Ward Lange (6/3/2008 9:15:39 PM)
I tried to use the MOFs in my SCCM SP1 test environment but can't seem to get it to work. The localadmin.mof compiles fine, the WMI class is added to the clients (localadmins-report.mof compiles fine on the server) and I trigger a client hardware inventory but when I run the report I get the following error: Invalid object name 'v_GS_LocalAdmins'. Using SQL Management Studio I verified that no table/view exists in the database called v_GS_LocalAdmins. What creates this table/view? Has anyone gotten this to work in Config Manager?

mseely -> RE: Local Admins MOF - by Ward Lange (6/3/2008 10:56:52 PM)
Did you compile localadmins-report.mof on the server, or did you place the contents of localadmins-report.mof into the 'SMS_DEF.MOF' file on the server ?

jkuta -> RE: Local Admins MOF - by Ward Lange (6/4/2008 9:50:40 AM)
I copied and pasted the text content of localadmins-report.mof into the sms_def.mof file and compiled it on the SCCM server. Should I have run "mofcomp localadmins-report.mof" on the SCCM server?

mseely -> RE: Local Admins MOF - by Ward Lange (6/4/2008 11:28:04 AM)
The contents of the localadmin-report.mof should be in the SMS_DEF.MOF. So ... 1) The WMI class is on the client. Is the class populating with any instances. [If there are no instances, then there will be nothing to report up to the server] 2) When Inventory runs, are there any errors resulting from the Win32_LocalAdmins class in the InventoryAgent.log? 3) Run the following query on the server to see if the View got created with some other name - SELECT * FROM v_GroupMap where MIFClass='MICROSOFT\|LocalAdmins\|1.0' and look for the 'InvClassName' field. (The MIFClass being the SMS_Class_ID from the SMS_DEF.MOF) The 'InvClassName' would be the view you would need to query against to see the inventory data.

skissinger -> RE: Local Admins MOF - by Ward Lange (6/4/2008 5:20:00 PM)
Question for jkuta: Is this SMS2003, or ConfigMgr07? You mentioned SCCM server, and there are some differences in what you do w/mof extensions between SMS2003 and ConfigMgr.

jkuta -> RE: Local Admins MOF - by Ward Lange (6/4/2008 8:44:47 PM)
I am running System Center Configuration Manager 2007 SP1 in my test environment. 1) The WMI class is on the client. Is the class populating with any instances. [If there are no instances, then there will be nothing to report up to the server] When I use WMIExplorer to view the win32_LocalAdmins class on a Windows Server 2003 machine there are no instances populating however, when I view the same class on a WinXP machine, members of the local administators group appear as instances (once I completed this test the v_GS_LocalAdmins view appeared in my database). In the post authored by mlucero above, he indicates that the "BUILTIN" syntax in the localadmins.mof file doesn't need to be modified, even when compiling it on Win2k3 servers. As a test I modified localadmins.mof by replacing 'BUILTIN' with the Windows server name, compiled the mof and when I viewed the win32_LocalAdmins class it populated the instances with members of the local administrators group as it should. 2) When Inventory runs, are there any errors resulting from the Win32_LocalAdmins class in the InventoryAgent.log? The inventory action runs and completes without errors. Here is the line in the InventoryAgent.log that references the inventory action: Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, CurrentTimeZone, Description, Domain, DomainRole, Manufacturer, Model, Name, NumberOfProcessors, Roles, Status, SystemType, UserName FROM Win32_ComputerSystem; Timeout = 600 secs. There are no error messages following this line, only the next set of queried classes. 3) Run the following query on the server to see if the View got created with some other name - SELECT * FROM v_GroupMap where MIFClass='MICROSOFT\|LocalAdmins\|1.0' and look for the 'InvClassName' field. (The MIFClass being the SMS_Class_ID from the SMS_DEF.MOF) Initially this query yielded no results, however after I compiled localadmins.mof on an XP machine and triggered an inventory the view/table populated in the database with the expected information. The report started working as well. I'm happy this works with WindowsXP but what about Win2K3 Server? Is mlucero's post inaccurate? Does the localadmins.mof indeed need to be manually compiled on each and every server?

skissinger -> RE: Local Admins MOF - by Ward Lange (6/4/2008 8:54:10 PM)
Since you are ConfigMgr, there is a slight difference: Put this in the primary site server's copy of sms_def.mof (at the bottom): quote: // <:[-<>>>>>>>>>>>>>>>>>>>>>>>>>>>Begin>>-Administrators group-<<Begin<<<<<<<<<<<<<<<<<<<<<<<<>-]:> [ SMS_Report (TRUE),SMS_Group_Name ("LocalAdmins"),SMS_Class_ID ("MICROSOFT\|LocalAdmins\|1.0")] class Win32_LocalAdmins : SMS_Class_Template { [SMS_Report(TRUE), key] string AccountName; [SMS_Report(TRUE), key] string GroupName; }; // <:[-<>>>>>>>>>>>>>>>>>>>>>>>>>>>END>>-Administrators group-<<END<<<<<<<<<<<<<<<<<<<<<<<<>-]:> And this in configuration.mof on the primary site clifiles.src (at the bottom): quote: // <:[-<>>>>>>>>>>>>>>>>>>>>>>>>>>>Begin>>-Administrators group-<<Begin<<<<<<<<<<<<<<<<<<<<<<<<>-]:> [union, ViewSources{"Select * from Win32_GroupUser where GroupComponent=\"Win32_Group.Domain='BUILTIN',Name='Administrators'\""},ViewSpaces{"\\\\.\\root\\CIMV2"}, Dynamic : ToInstance, provider("MS_VIEW_INSTANCE_PROVIDER")] class Win32_LocalAdmins { [PropertySources("PartComponent"), key] Win32_Account ref AccountName; [PropertySources("GroupComponent"), key] Win32_Group ref GroupName; }; // <:[-<>>>>>>>>>>>>>>>>>>>>>>>>>>>END>>-Administrators group-<<END<<<<<<<<<<<<<<<<<<<<<<<<>-]:> That way you don't have to mofcomp anything on your XP workstations. Believe me... it's much better than managing a mofcomp update routine on your clients. Regarding your question about win2k3; there was a recent discussion here. Perhaps Mark's script will work for you as well?

jkuta -> RE: Local Admins MOF - by Ward Lange (6/5/2008 3:36:45 PM)
Thank you for mentioning Mark's script in the post above, it works awesome and worked like a charm on my Win2K3 servers! Re: the code above...I added it to both the configuration.mof and sms_def.mof files and compiled them on my SCCM server however at this time I only have 2K3 servers in my test environment and as such, I am unable to tell if the code worked for non-server machines. I am curious, how can this code take effect on the XP workstations and report the contents of their local admins group if it's not mofcomp'd locally?

skissinger -> RE: Local Admins MOF - by Ward Lange (6/5/2008 4:37:52 PM)
Because ConfigMgr is cool! [:D] No, really. ConfigMgr07 was designed to have the advanced clients automatically mofcomp "configuration.mof". As you've seen, you'll need to mofcomp on Servers and Vista using the script because "BUILTIN" isn't there on those OS'; but on XP it works without the script. Although (thinking as I type here)....I might need to test whether nothing in configuration.mof; and use the script instead to all platforms is a better idea. I'm not sure if configuration.mof will overwrite what you just did w/the manual mofcomp, and eventually 2003 & Vista wouldn't report right.

Page: [1]

Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.765625