Coding Thread, GPO S/W deployment status..? in Coding and Web Development; Some thinking out loud following on from this thread . Any comments, especially thoughts on why anything will or won't ...
1st January 2009, 11:15 PM #1
GPO S/W deployment status..?
Some thinking out loud following on from this thread. Any comments, especially thoughts on why anything will or won't work, is ridiculous or whatever are welcome.I spent a couple of hours earlier on a Quick Win[tm] which is a small, relatively quick app you run via a computer startup script:
a) If there have been any changes since last time it trawls through the registry s/w uninstall keys and creates/overwrites a local file containing info for each app.
b) If there have been any new MsiInstaller events since last time these are appended to another file. I still need to think about filtering these events.
c) Creates a H/W inventory and then creates/overwrites a file if that inventory is different from last time.
Any new/changed files are then copied to a network share obtained from a policy setting. Server-side I've made a simple GridView app to display info from the relevant s/w uninstall file that is launched from the ADUC computer context menu. Haven't done viewers for the others yet (I'm not that fond of GUI dev).
So far so good, but I want to add in GPO s/w assignments for a given computer e.g. to easily see that package X was assigned but has installed or failed to install. OK, with enough effort I can trawl through a computer's AD path, find any enabled linked GPOs, figure out if they apply to the computer, find which of those have SI policy and figure out whether the computer has appropriate security permissions for any given package within an applicable GPO.
GetEffectiveRightsFromAcl() will likely get used on any AD GPO/ Package object with non-inherited ACEs unless anyone knows it doesn't work or of an alternative in .net? Undecided, but I'm also contemplating just grabbing the list of applied GPOs (and critically their version numbers) from the registry as part of the client-side s/w uninstall key dumping - would save me working out which ones are relevant to a given computer and could be handy as a "GPO application or maybe Sysvol replication is stuffed" detector.
One way or another the latter should be doable, but what I really want is to be able to R-click an OU to launch an app that displays S/W status for all the computers under that OU.
The bit that's bothering me here is scalability - I'll be happy if it works well enough for hundreds (folk with thousands can go shop) and reading/processing hundreds of simple little files server-side isn't that big a deal. But efficiently sorting out the package assignments, that is checking lots of computers against AD GPO and individual package security permissions, could be a bit tough. Guess I'll have to round up (cache) info about all GPOs in AD that have SI policy, their permissions, packages and any packages specific permissions the start of time - haven't thought any further.
One thing I don't want to do is throw any services/agents at this - I definitely don't want anything running all the time client-side and yeah it would probably help somewhere, but I really don't want (yet another pesky) database running server-side.
Last edited by PiqueABoo; 1st January 2009 at 11:26 PM.
2nd January 2009, 06:59 AM #2
This sounds quite simmilar to this software: Software deployment & distribution - Specops Deploy
Personally I would be looking at WMI to grab the software inventory ans install status as it runs in the background anyway on workstations.
2nd January 2009, 02:57 PM #3
Difference is I'm just looking at getting some reporting for native GPO deployment for free. SpecOps is a complete deployment system with background BITS xfers etc., costs money and there appears to be a show-stopping 2K8 GPME support hole.
WMI with Win32_Product? I did look at that but unless I'm missing something I can quickly get all that plus more potentially useful info to play with from the registry e.g. hotfixes, EXE installs (most of which do make an uninstall sub-key) etc.
2nd January 2009, 04:15 PM #4
Yea, I was aware of the costs etc just pointing it out as a source of ideas and proof of concept as most of it is built on top of AD.
The registry way will grab lots of information but does require the app to run against the registry, probably locally. With WMI you can run it either locally or triggered over the network at any time while the system is running. It also isolates the software from issues caused by different implementations in different systems (2k, XP, Vista).
You can easily grab the hotfix information as well using WMI along with vast ammounts of other information. I have a system that uses a WMI script on logon to populate a hardware invertory which works really well. Here are some resources that may be helpful:
Hardware and software/hotfix inventory:
CodeProject: WMI hardware/software enumeration script. Free source code and programming help
RSoP group policy status:
Group Policy Scripts
RSoP WMI Classes (Windows)
WMI Explorer to dig about and see whats avalible:
This bit of freeware also seems to implement some of the features that you are after so it could be a source of ideas:
Group Policy Inventory 1.0.1361.27800
Thea easiest way to get at GPO stuff would be to use the GPMC scripting stuff which should nicely wrap a lot of the tasks:
Group Policy Management Console Scripting Samples (Windows)
I don't think that the raw codebehind is encrypted so you should be able to see the actual methods used in the sample scripts.
ADSI is probably the easiest way to access and manage the GPO links without GPMC installed:
Get GPOs using LDAP
I would be interested in seeing where you get to with this as this functionallity would be very useful.
2nd January 2009, 10:15 PM #5
Absolutely, but "locally" is a core requirement for me - this needs to work when at any given time a significant proportion of the domain's machines are stubbornly offline (laptops at home, machines that are not going to WOL in a month of Sundays or whatever). Computer start-up when connected to the domain is when SI status can change, so that's a good time to capture what has changed... assuming I can make that happen after any installs have finished.
but does require the app to run against the registry, probably locally
Manually triggered remote queries of machines can be useful and there's nothing much to stop me using say psexec or WMI to remotely kick off that local app to refresh the data for a machine, but if that's the only way to do it them I'd have to keep kicking scans off and would probably never get a full set of current SI data for the domain.
Cor.. that is verbose. I made something like that just for h/w once and also in JS, but settled for a lot less info. Kind of relieved to see it has the same network adapter issues as mine - it reckons I've got 39! I just reported the first two which works on clean boxes, but not here.. side-effect of cloning old laptop which had VPN, VMWare, MS vnet adapters etc.
Hardware and software/hotfix inventory:
That script doesn't report the EXE installers (that show via add/remove). It did hotfixes much better than me, but that prompted me to figure out where WMI gets them from - underneath another regkey. Could be what I've used it for in the past, but for me WMI is synonymous with "slow" whereas dumping info from the registry has been fast.
Agreed, although it will probably be dotNet and system.directoryservices which is essentially a wrapper for ADSI. Scripts can do pretty much anything in AD including get and set ACEs, but in practice they're not so fast and you can't multi-thread your way around time.
ADSI is probably the easiest way to access
Even with MT a second spent on 500 clients is much better than work at the server so the more I can get the client to tell me the better. Currently digging around in the appmgmt folder in %windir%\system32 and wondering if I'll ever find decent documentation on values such as "AppState" that appear under a packages GUID here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Group Policy\AppMgmt
Don't know if all applicable package GUIDs turn up there and whether say that AppState would indicate a failure (or perhaps there's useful info about that in the corresponding Installer regkey). Will have to make some MSI destined to fail and observe.
This is in the registry neighbourhood where you can get the computer's applied GPOs and version numbers etc. Looking around I *might* be get almost everything I want from there and only need to scratch AD at the server-side of this.
2nd January 2009, 11:28 PM #6
Sorry, wasn't suggesting that you used the scripts directly but rather looked at the methods and values used as most of these are easy enough to convert into a proper bit of sotware in a real language especially with .net.
Whichever method you end up using it could be triggered at machine startup like the machine startup script.
You are right about the WMI stuff only showing the MSI based stuff but if you were using this solely to check out the status of deployed packages this limitation does not really matter.
As to AppState here is what I found:
GPanswers.com :: View topic - Uninstall this application when it falls out of the scope...
The other states appear to be listed here:
DWORD of 9 = normal (leave alone)
DWORD of 11 = uninstall
LOCALMANAGEDAPPLICATION Structure (Windows)
but the integer values that go with the constants are locked away somewhere in the Appmgmt.h header file from the Windows SDK.
Indicates the state of the installed application. This parameter can contain one or more of the following values.Value Meaning
The application is installed in the assigned state.
The application is installed in the published state.
The installation of this application uninstalled an unmanaged application with a conflicting transform.
If the policy from which this application originates is removed, the application is left on the computer.
If the policy from which this application originates is removed, the application is uninstalled from the computer.
By leco in forum How do you do....it?
Last Post: 8th August 2008, 12:04 PM
By meastaugh1 in forum Educational Software
Last Post: 30th January 2008, 01:19 PM
By Grommit in forum Windows
Last Post: 21st August 2007, 10:27 AM
By Gambit in forum Windows
Last Post: 29th May 2007, 02:05 PM
By rlculver in forum Network and Classroom Management
Last Post: 22nd April 2007, 10:53 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)