I want to make an inspec (chef) for diffrent GPOs.
I`m wondering to know is there any resource for GPOs (windows server).
because I dont have enough knowledge of gpos and how they work trough a powershell.
So, I appreciate if you send me any suggestion regarding to right inspect rb files dor gpos. (e.g read gplink, gpo health and system access , etc.)
You could use a command resource and the gpresult command line tool.
You may use 'audit_policy' and 'security_policy' inspec resources
Related
The scenario is as follows:
I have TeamCity set up to use AWS EC2 hosts running Windows Server 2012 R2 as build agents. In this configuration, the TeamCity agent service is running as SYSTEM. I am trying to implement FastBuild as our new compilation process. In order to use the distributed compilation functionality of FastBuild, the build agent host needs to have access to a shared network folder. Unfortunately, I cannot seem to give this kind of access from one machine to another.
To help further the explanation, I'll use named examples. The networked folder, C:\Shared-Folder, lives on a host named Central-Host. The build agent lives on Builder-Host. Everything is running Windows Server 2012 R2 on EC2 hosts that are fully network permissive to each other via AWS security groups. What I need is to share a directory from Central-Host so that Builder-Host can fully access it via a directory structure like this:
\\Central-Host\Shared-Folder
By RDPing into both hosts using the default Administrator account, I can very easily set up the network sharing and browse (while on Builder-Host) to the \\Central-Host\Shared-Folder location. I can also open up the command line and run:
type NUL > \\Central-Host\Shared-Folder\Empty.txt
with the result of an empty text file being created at that networked location.
The problem arises from the SYSTEM account. When I grab PSTOOLS and use the command:
PSEXEC -i -s cmd.exe
I can test commands that will be given by TeamCity. Again, it is a service being run as SYSTEM which, I need to emphasize, cannot be changed to a normal User due to other issues we have when using TeamCity agents under the User account type.
After much searching I have discovered how to set up Active Directory services so that I can add Users and Computers from the domain but after doing so, I still face access denied errors. I am probably missing something important and I hope someone here can help. I believe this problem will be considered "solved" when I can successfully run the "type NUL" command shown above.
This is not an answer for the permissions issue, but rather a way to avoid it. (Wanted to add this as a comment, but StackOverflow won't let me - weird.)
The shared network drive is used only for the remote worker discovery. If you have a fixed list of workers, instead of using the worker discovery, you can specify them explicitly in your config file as follows:
Settings
{
.Workers =
{
'hostname1' // specify hostname
'hostname2'
'192.168.0.10' // or ip
}
... // the other stuff that goes here
This functionality is not documented, as to-date all users have wanted the automatic worker discovery. It is fine to use however, and if it is indeed useful, it can be elevated to a supported feature with just a documentation update.
I have to write a script on Lotus Server which is on Windows server to save a csv file on UNIX server. I and Unix server path requires authentication. So can somebody help me or suggest me how to do it?
Thanks in advance.
Siddhartha
Could setting up a FTP server on Domino and accessing this from your UNIX server be an option ?
Mindoo FTP server
I once resolved this in two steps:
1. Save the file to a temporary directory on the D omino server using LotusScript
2. Create a scheduled taks on the windowd serverr to copy the file to the second server
Advantages:
You can specify any user in the scheduled task and you don`t have to care about accessibility of the other server.
Disadvantages
Two separate processes.
Hope that helos.
Michael
In my scenario which was very similar to yours, I did the following:
On the Windows Server, I created a Mapped Drive to the folder on the Unix OS. This also managed the Authentication.
In the LotusScript Agent, I extracted to this Mapped Drive, which worked 100%.
You need to provide more details. Presuming you can access the Unix folder from Windows Explorer, map the drive and let Windows store the password. Then access it through the mapped drive letter.
LotusScript can't write to UNC locations, so you need the drive letter.
That file will be probably picked up by another program. CVS is the worst approach. You could offer to write to a Web Service or provide one.
Update
On Unix "access" more often than not doesn't mean a CIFS (a.k.a Windows share) access, but SSH (or FTP). For SSH you would want to:
configure SSH Keys, so you actually don't need username/password any more
use a Java library as asked on Stackoverflow before (or an alternative)
you also could write the file to a temp directory and call a cmd file for the copy operation
With a little care (make the cmd file configurable) the stuff will work when moving your Domino to Unix/Linux too
Let us know how it goes
I am running on a Windows Server 2003. This is my problem:
I wrote a Perl script to automate the copy of some files from my Server machine to some network drives. I am using xcopy to copy the files. My problem is the permissions.
If I run the script from the command line, it works, all the copies are successful.
If I try to run the script using a service all the copies fail. This service is a program that I wrote that takes the script and runs it. In the background all it is doing is to call the C function 'system' and it runs the same program that I can run from the command line.
I have tried many variations of this to figure out what is wrong with it but I can't see why the service would not run the same way I run it from the command line.
I set up the service to run as the same user I am using from the command line.
I also tried to map the network drives as the user that has writing permission but the result is the same. Manually the script works, from the service, it doesn't.
Any suggestion is appreciated.
Thanks
Tony
The service may be running as the system and not have access to the network drives. In the Service settings, change the service to run under your account (or an account with the relevant permissions/mappings).
When the service runs, it uses whatever credentials you specify in the Services manager of Windows. The default, LOCAL SERVICE, probably does not have permission to access the resources to be copied.
Create a new user account with the minimum set of permissions needed to perform the copy and configure your service to run under that account.
I did figure out the issue (I think), and that matches what I later found in another post:
https://serverfault.com/questions/4623/windows-can-i-map-a-network-drive-for-a-service-account
<...Persistent drive mappings are only restored during an interactive login, which the service does not use. I believe the only way to get a service to use a network drive is for that service to map the drive itself or alternatively for it to us a UNC path instead of a mapped drive.>
What I did was mapping the drive using the service and that seems to work. It turns out, if I map the drive and save credentials, then I can access later the drive without having to map it again. I don't know why this approach seems to work though.
-Thanks everybody for your help.
Tony
Assume I have access to a SMB server at IP 1.2.3.4, how can I determine the list of available shares?
Windows Explorer can do it when I enter a UNC path \\1.2.3.4\ - but command prompt "dir \\1.2.3.4\" fails!
I've tried the usual FindFirstFile/FindNext calls - which I use successfully to read the files and directories on each share, but they don't work directly on the server root.
Ideally, I need something that works for XP onwards.
Edit: I want to do this programatically, rather than from command line. Redirecting and parsing the output from 'net view 1.2.3.4' would work, but I'm ideally looking for an API for this job.
According to the docs there's a NetShareEnum and a WNetEnumResource function.
net view \\1.2.3.4
Check out http://www.ss64.com/nt/net_share.html
Edit: If you want to do this programmatically, it looks like NetShareEnum would work.
It appears you can use WMI to get this information. Check this post for some neat PowerShell tutorials that show now to use the Win32_Share WMI object.
Never use WMI (not installed natively)
Use Win32 api to enumerate shares, posted millions of times on google groups( win32)
For a windows script I am writing, I need to detect if the machine has Apache 2.2 installed, and to find the application path.
One solution I came up with is to wget http://localhost:8080/server-info and parse the root and the config file from it. This would fail if the server does not use port 8080
Another option would be to call “sc qc Apache2.2” and to parse the returning string. This would fail if the server is not installed as a service, or is using a different name.
Is there any better way to do that?
Not a lot of great options if they didn't install it using the installer. If they used the MSI/installer, you can check the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Apache\2.2.2\ServerRoot
HKEY_CURRENT_USER\SOFTWARE\Apache Software Foundation\Apache\2.2.2\ServerRoot
You can also check the running process list:
WMIC PROCESS get Caption,Commandline,Processid
Look for the appropriate EXE. If for some reason you needed the port number, then use netstat and search for the appropriate port.
Also, when you say "a windows script", I am assuming you are using something modern and capable like Windows Scripting Host (my favorite) or PowerShell. Don't even bother with batch files.
As I recall, Apache writes some registry keys. If you know how to read them from a script, that might help.
uvdesk
Unable to locate the path on the server.
Try putting index.php after your helpdesk installation's site url or If you are using apache, make sure that mode_rewrite module is enabled and AllowOverride directive for document root is set to All/FileInfo in your server's configuration file.[enter code here][1]