Monday, December 8, 2008

Install software and save settings on Wyse XPe devices (V90L)

Details can be obtained in the Wyse XPe Admin Guide manuals (located in http://www.wyse.com/manuals) and Microsoft description (http://msdn.microsoft.com/en-us/library/aa940926(WinEmbedded.5).aspx).
  1. Log off user. Press and hold the Shift key during logoff so that the logon screen is prompted.
  2. The user ID and password are both "Administrator" for you to log onto the Adminitrator desktop.
  3. Double click the desktop icon, FBWF Enable, to enable File Based Write Filter, which will immediately reboot the device.
  4. After the reboot, there will be a green balloon in the system tray to indicate that File Based Write Filter is running.
  5. Make the changes in the normal User sessions, e.g. create custom ICA settings and desktop icons. ICA connections created in the PN under the Administrator account is not accessible to normal User.
  6. Log off and log onto the Administrator desktop.
  7. Install the software and make other priveleged operations here.
  8. Double click the FBWF icon in the system tray to open the File Based Write Filter Control dialog box.
  9. Click Commit Changes button to save your configurations.
  10. Reboot the device to verify the settings.
  11. Double click the desktop icon, FBWF Disable, to disable File Based Write Filter, which will immediately reboot the device.

Thursday, December 4, 2008

Publish Lotus Notes client in Citrix

There is a Lotus Technote 1202109 to guide how to publish Lotus Notes client in Citrix XenApp (Presentation) server. But here I need to add a few more comments.

Step #1.b: Lotus Notes shall be installed with the Add/Remove Programs snap-in. Alternatively, you can change your current session to Install mode by running "change user /install" and run setup.exe to install Lotus Notes client.

Step #4.Script A: I didn't create this logon script. Instead, I created system environment variable, RootDrive. This can be completed by opening Control Panel > System > Advanced (tab) > Environment Variables (button), and add a new system variable (not a user variable in the upper section!).

Final Step: You must log off and log on with a unprivileged user account to launch Notes. If you open it under an administrative account, then it will report an error, "CLFRJ0010E: Notes initialization failed", when a second administrator tries to open Lotus Notes on the same terminal server. However, two or more unprivileged IDs could use Notes concurrently. I checked but there is no Technote to describe this error.

Additional Step: You must run "change user /execute" to be able to run Notes in your session. Otherwise, it will fail.

Friday, June 13, 2008

Minimal rights to remotely monitor performance by WMI

I tried to write a vbscript to monitor several memory performance counters on some Windows 2003 domain member servers, and send me an email if any counter is greater or less than the threshold. The script itself is simple but I don't want to assign Administrators permission to the service account which schedules and runs this script. So below are the minimal rights I found to meet this requirements,
 
1. I created an AD group, mydomain\Performance Monitor Users, and then add the service account to the group.
 
2. To monitor performance locally, you just need to add the AD group to the built-in local group, Performance Monitor Users, on the servers to be monitored, e.g. mycomputer1.
 
3. To remotely access the performance counters by WMI, you must have remote permissions for DCOM and WMI namespaces. Microsoft has an article to explain it in detail (http://msdn.microsoft.com/en-us/library/aa393266(VS.85).aspx). Below is a straightforward implementation.
 
3.1 Add "mydomain\Performance Monitor Users" to the built-in local group, Distributed COM Users, on mycomputer1.
 
3.2 On mycomputer1, open Computer Management console, expand the Services and Applications tree, double-click the WMI Control, right-click the WMI Control icon, choose Properties, and then select the Security tab. Here you can see all the namespaces. Usually you just need to grant Enable Account and Remote Enable permissions of Root\CIMV2 to mydomain\Performance Monitor Users.
 
3.3 The default permission is set as This namespace only. But my Windows 2003 SP1 server can only display the Root namespace, not any of its subnamespaces. In such a case, I have to configure the advanced security permissions to be This namespace and all subnamespaces.
 
3.4 All the membership and permissions on mycomputer1 are set for "mydomain\Performance Monitor Users". By this way I can easily control which user account in the AD group will have the permissions described in this article. If you set the WMI remote access for a local user account or group, e.g. Performance Monitor Users, there might be someone else adding other user accounts to Performance Monitor Users later to obtain more rights. It could be a security hole and nightmare if you've got many member servers in your domain.
 
4. In this last step, I scheduled a task to run the script on a central server to collect performance data, but it could not be started! The reason is that "mydomain\Performance Monitor Users" doesn't have Read and Execute permission for cmd.exe. After assigning this permission to both cmd.exe and the script file, my script is running perfectly.