A modular approch to Altiris Deployment Console Software Installs.

One thing that always annoyed me about Altiris was that when working with multiple servers there was no way to load balance or route traffic based upon the closest server, instead Altiris would try and push everything from the central site. The work-around is that you would have to create multiple jobs for the one piece of software which can get very tedious, is prone to human error and generally looks very messy in your deployment console! Thanks to the scheduling features in Altiris publishing smaller applications wasn't such a big deal even if your WAN link wasn't great, but when you have to deploy something as big as Office 2010 you begin to appreciate the scale of the problem. In this post I will show you my method of dynamically mapping to the closest server and take on a modular approach which you can use time-and-again in all your deployment jobs.

It all starts with a good drive mapping script


As I mentioned previously, informing the Altiris server to use the closest distribution point instead of one that is potentially hundreds of miles away can't be achieved using the standard "Add copy file job". Instead we turn to VBscript.


The script below will do the following tasks:

1. Inform the client to ping a list of Altiris servers
2. Clear the required drive letter on the client PC (W: in this example)
3. Map a drive letter to the closest Altiris distribution point based upon ping response time.
4. If the user is logged on it will use the users credentials to map the drive.
5. If no user is logged on it will use a system account.

' Drive mapping script by Andrew Allison 07/06/2011
' Pings all Altris servers in the array and maps a drive as w: to the one with lowest response time
' if user is logged on uses user credentials to map drive, if no uses domain account specified in uzername variable
'****************************************************************************************************

'array holding list of altiris distribution servers
Dim arr : arr = Array( "server1" , "server2" , "server3" , "server4" , "server5" )
Dim out
Call ServersByPingTime( arr , out , True )
Dim s
'WScript.Echo "In order fastest to slowest: "
For Each S in out
'WScript.Echo s
'document.write(s(0))
Next
'WScript.Echo(out(0))
lowestping =(out(0))
'wscript.echo lowestping
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colComputer = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystem")
For Each objComputer in colComputer
'Wscript.Echo objComputer.UserName
If IsNull(objComputer.UserName) Then 'If no one is logged on
        strLoggedOn = "No"
    Else
        strLoggedOn = "Yes"
    End If
'wscript.echo strLoggedOn
Next

Dim objNetwork
Dim strDriveLetter, strRemotePath
Dim u_name_pserver, p_word_pserver
Dim strProfile
Dim uzername
Dim p4ssword

'specifies domain account to use to map the drive in the event no user is currently logged on
uzername="yourdomain\domainadminaccount" 
p4ssword="youraccountpasword"
strProfile = "true"
'specifies drive letter to use
strDriveLetter = "w:"
'specifies the servername and path to distribution share
strRemotePath = "\\"& lowestping &"\yourshare"
on error resume next
Set objNetwork = CreateObject("WScript.Network")
'if no user logged on then remove the drive letter in case it is currently mapped to somewhere else
If strLoggedOn = "No" then
objNetwork.RemoveNetworkDrive strDriveLetter
wscript.sleep 5000
'map the drive letter using domain account
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath, strprofile, uzername, p4ssword
Else
'map the drive using the users current credentials
objNetwork.RemoveNetworkDrive strDriveLetter
wscript.sleep 5000
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath
end if
' Begin pinging all servers and sort by fastest response time
Function Ping(strHost , ByRef bytesSent , ByRef bytesReceived , _
         ByRef bytesLost , ByRef minMs , ByRef maxMs , ByRef aveMs )
 Ping = False
 Dim objShell, objExec, strPingResults, bRet
 Set objShell = CreateObject("WScript.Shell")
 Set objExec = objShell.Exec("ping -n 1 " & strHost)
 Do
     WScript.Sleep 100
 Loop Until objExec.Status <> 0
 strPingResults = objExec.StdOut.ReadAll
 Dim regexpingstats : Set regexpingstats = new regexp
  regexpingstats.Pattern = "Packets:\s+Sent\s+=\s+([0-9]+).*Received" & _
                           "\s+=\s+([0-9]+).*Lost\s+=\s+([0-9]+)(?:.*\s)+" & _
                           "Minimum\s+=\s+([0-9]+)ms.*Maximum\s+=\s+" & _
                           "([0-9]+)ms.*Average\s+=\s+([0-9]+)ms"
 regexpingstats.Global = True
 regexpingstats.IgnoreCase = True
 regexpingstats.MultiLine = True
 If regexpingstats.Test(strPingResults) Then
  Dim m : Set m = regexpingstats.Execute(strPingResults)
  bytesSent = CInt(m.Item(0).subMatches.Item(0))
  bytesReceived = CInt(m.Item(0).subMatches.Item(1))
  bytesLost = CInt(m.Item(0).subMatches.Item(2))
  minMs = CInt(m.Item(0).subMatches.Item(3))
  maxMs = CInt(m.Item(0).subMatches.Item(4))
  aveMs = CInt(m.Item(0).subMatches.Item(5))
  Ping = Eval( bytesSent > bytesLost )
 End If
End Function
'Returns false if no server were found alive
'outSortedByMs - array sorted fastest response to slowest response time
Public Function ServersByPingTime( ByVal inSeverList , _
                ByRef outSortedByMs , bVerbose )
  On Error Resume Next
  ServersByPingTime = False
  outLivingSorted = Array
  Dim s, i , j , temp
  If bVerbose Then
  For Each s In inSeverList
   If bVerbose Then wscript.StdOut.Write("        Server: " & s )
   Dim bs, br, bl, mi , ma , av
   If Ping( s , bs, br, bl, mi , ma , av ) Then
    If bVerbose Then
     'WScript.Echo(" [Passed]")
     'WScript.Echo("    Bytes Sent: " & bs )
     'WScript.Echo("    Bytes Recv: " & br )
     'WScript.Echo("    Bytes Lost: " & bl )
     'WScript.Echo("        Min ms: " & mi )
     'WScript.Echo("        Max ms: " & ma )
     'WScript.Echo("    Average ms: " & av )
    End If
    i = UBound(outLivingSorted) + 1 
    ReDim Preserve outLivingSorted(i)
    outLivingSorted(i) = Array(s,av)
    ServersByPingTime = True ' Success there are servers alive...
   Else
    If bVerbose Then
    ' WScript.Echo(" [Failed]")
    ' WScript.Echo("")
    End if
   End If
  Next
  'Sort...
  For i = UBound(outLivingSorted) - 1 To 0 Step -1
    For j = 0 To i
      If outLivingSorted(j)(1) > outLivingSorted(j+1)(1) Then
         temp=outLivingSorted(j+1)
         outLivingSorted(j+1)=outLivingSorted(j)
         outLivingSorted(j)=temp
      End If
    Next
  Next
  'Temp array to store the new pinged and sorted by reponse time...
  Dim temparray
  ReDim temparray(UBound(outLivingSorted))
  For i = 0 To UBound(outLivingSorted)
    temparray(i) = outLivingSorted(i)(0)
  Next
  outSortedByMs = temparray
end if
End Function
wscript.quit


Copy the files down to the local PC

You probably are wondering why not just use the built in "Copy File to" function in Altiris? Well I've tested this with not really much success. If you specify a drive letter in this function for Altiris to use it will think that W: is in fact a local drive in the Altiris server. You can't specify UNC as this will defeat the purpose of the above script.


I find that my installers behave themselves much better when the are copied to the PC first before installing, using my method here creates a little layer of complexity, as you will require to synchronise the content on all Altiris servers, but overall it's worth it to ensure that no matter what site a machine is based in, you won't kill the WAN and the install won't take forever. Below is an example script, all it does is copy the files down, you will end up a new "copy file to" script for each app you own, ensure to save the name as something meaningful.



'Copy Folder contents to the specified folder
'Last update 10/08/10 by Andrew Allison
'**************************************************
On Error Resume Next
dim WshShell, oShell, sCmd, i, objFSO, objFolder, strDirectory1

Set WshShell = WScript.CreateObject("WScript.Shell")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = CreateObject("Wscript.Network")
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set objShell = CreateObject("Wscript.Shell")
Set oShell = CreateObject("Wscript.Shell")
Set WshEnv = WshShell.Environment("PROCESS")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const OverWriteFiles = True
strComputer = "."

'Creates the Support Directory on the C drive
 strDirectory1 = "c:\support"
 Set objFSO = CreateObject("Scripting.FileSystemObject")
 Set objFolder = objFSO.CreateFolder(strDirectory1)
' Disables the Open File security warning.
WshEnv("SEE_MASK_NOZONECHECKS") = 1
 objFSO.CopyFolder "W:\yourfolder" , "C:\support\yourfolder\" , OverWriteFiles

i = oShell.Run(sCmd,1,true)
' Enables the Open File security warning again.
WshEnv.Remove("SEE_MASK_NOZONECHECKS")
wscript.Quit
 

Send the Install command

The installation command will obviously be different depending the program and installation package type. MSI files are generally much easier to work with than most others. There is not really any benefit of having this part in as VBscript, although it is entirely possible. I have to admit that usually I just use the "Run Script" command in Altiris and then type in the install string and full path to the "c:\support" directory.

Clean up the drive letter

After the install has been completed you will always want to ensure you remove the drive letter. You don't really want your users snooping around on your distribution points.

Option Explicit
on error resume next
Dim objShell, objNetwork, DriveLetter1
DriveLetter1 = "w:"
Set objShell = CreateObject("WScript.Shell")
Set objNetwork = CreateObject("WScript.Network")
objNetwork.RemoveNetworkDrive DriveLetter1
Wscript.Quit


The whole process looks a little like this for each deployment job. This example  is Autodesk DWG Trueview, the "run script" sections below represent many prerequisite software installations. Luckily you can simply run one after another.

Removing local admin accounts except for Jim and Bob

As far as I can remember it's been recommended good practise to remove local administration rights from end-users PCs, but if you haven't already done this or haven't quite got everyone in your department on-board with the idea It can be a tricky business explaining to your users why you have to remove that BitTorrent client and their favourite spyware ridden game from their business machine. What about Jim and Bob, the directors of your company? Effectively it's their train set, they pay your salary and pretty much own the business. Are you really in a position to be able to tell them what they can or can't do on a company PC? Them having their own apps installed inevitably this leads to a infection where all lower-level managers below them want the same. Before you know it you become inundated with requests for questionable software to be installed and end up actually having to support it, congratulations, you now support an app you know nothing about, have no mention of it in your service catalogue and no Service Level Agreement.

In an ideal world the best solution to this is not to allow them to install it in the first place, which is fine if you are in a position to take this firm standpoint and treat all users the same. Unfortunately a few weaker links inevitably end up making more work for you and everyone else.

Group policy will allow you to create security groups for your elevated accounts and can also be configured to strip out other accounts from local administration groups. This is fine if everyone is on-board with the idea and you don't want to end up with several policies for different types of users.

The solution I came up with will allow you to remove all unauthorised users accounts, both domain and local from the computer administrators group but will allow you to add your elevated accounts and have a list of exceptions that won't be removed. This means Jim and Bob and those rare but pesky applications that just won't work properly without local admin privileges can still work, and you have clear visibility of who actually has these rights.

The script below was based on another script I found that would just remove all local admins, I've modified it to allow exceptions, and to add in the relevant elevated account groups. Keep reading for instructions on how to implement it into your environment.


' Remove Unapproved Local Administrators.
' Last update 28/10/11 by Andrew Allison
' vbscript

'** check os version first
strComputer = "."
Set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colItems = objWMI.ExecQuery("SELECT * FROM Win32_OperatingSystem",,48)
For Each objItem in colItems
osversion = (objItem.Caption)
targetos=("Microsoft Windows XP Professional")
intCompare = StrComp(osversion, targetos, vbTextCompare)
'wscript.echo targetos
'wscript.echo osversion
'wscript.echo intCompare
if intCompare = -1 Then
wscript.echo "Do not use your standard user account to log onto servers! Use your Elevated account."
wscript.quit
elseif intcompare = "1" Then
wscript.echo "Do not use your standard user account to log onto servers! Use your Elevated account."
wscript.quit
else
'wscript.echo "0 - it must be good old XP - lets rock!"
end if
next
'** Define Variables
    Dim PermittedAdmins' As Array
    Dim group
    Dim network
    dim fourthletterinname
 
   
'** Define Permited Administrators List
PermittedAdmins = Array("Administrator", "Domain Admins", "Director1", "Director2", "GPO_LAPTOP_PCADMIN", "GPO_DESKTOP_PCADMIN) '<--- Add to this Array any additional permited admins

'** Get Local Administrator Group
    Set AdminGroup = GetObject("WinNT://./Administrators, Group")
'** Search for Invalid Members & Remove Them
    For Each GroupMember in AdminGroup.Members
   
        Debug.WriteLine GroupMember.Name, GroupMember.Class, IsPermitedAdmin(GroupMember.Name)
   
        If Not IsPermitedAdmin(GroupMember.Name) Then
            AdminGroup.Remove GroupMember.ADsPath
        End If
    Next
'** Functions *****************************************************************
    Function IsPermitedAdmin(MemberName)' As Boolean
        Dim i' As Long
       
        For i = LBound(PermittedAdmins) To UBound(PermittedAdmins)
            If UCase(MemberName) = UCase(PermittedAdmins(i)) Then
                IsPermitedAdmin = True
                Exit Function
            End If
        Next
       
        IsPermitedAdmin = False
    End Function

'**Start adding PCadmin groups
Set wshShell = WScript.CreateObject( "WScript.Shell" )
strComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
Set network = CreateObject("WScript.Network")
Set group = GetObject("WinNT://" & network.ComputerName & "/Administrators,group")
On Error Resume Next 
fourthletterinname = Mid(strComputerName,4,1)
if fourthletterinname = "D" Then
group.add("WinNT://yourdomain/GPO_DESKTOPS_PCADMIN")
Elseif fourthletterinname = "L" Then
group.add("WinNT://yourdomain/GPO_Laptops_PCADMIN")
else
'do nothing
end if
On Error Goto 0
wscript.quit

Note as per the "check OS version first"  section  you can see in the above script I have specified that this script should only run on a singular operating system, Windows XP Professional. This can be easily changed to any other operating system. The purpose of this function is that in all likelihood you don't want this script to end up running on your server operating system, although it is entirely possible to add all your local server administration accounts too. If you don't want to use the OS check, simply remove this section.

The "Define Permitted Administrators List" section is where you will want to put in the user name of your PC Admin management groups and also your pesky exceptions. This isn't a list that will add admin groups, this is a list that the script will NOT remove.

Another part you may want to remove or modify is the "Start adding PC admin groups" - this is the function that will insert your Active Directory PC Administration groups into the PCs local administrator group. In my environment all devices follow a strict naming convention which is SITE-MACHINETYPE-ASSETNO-USER eg: SBPD12345ALLISA the "fourth letter in name" variable is used to hold the fourth letter in the machine name, as you can see this will be either D for desktops, or L for laptops. If you only have one admin account for every type of device you can modify this to only have one group, this function just give a little more granular type of security.

OK, now you have the script and have modified to suit your environment, but how do I deliver it onto the PCS? Group policy is the key here.

You have two choices here, you can either apply based upon machine-based-policy or user-based-policy. There are advantages and disadvantages of both. In my environment my manager requested this be done on user policies. Create a new policy or modify an existing one and navigate to "scheduled tasks".

Right click and create a new scheduled task. The settings here are up to you but this how I have configured mine.

It's up to you as to where you store the script, you could in effect deliver it to each machine, or leave it on a web-server. I personally have opted to put it into the domain SYSVOL folder on my Domain Controller. Ensure that you use an account on the scheduled task with sufficient access to manage your PC admin group. I like to run set the script to run at logon to remove unwanted "tweakers" ;-)

All of this is pointless if you fail to maintain your Active Directory PCADMIN groups, don't allow unelevated accounts to be added to these groups, the last thing you want to do is to give your director rights to install software on every PC on the network rather than just his own. Use the exclusions wisely.

Andrew