From large corporations to regular users, nowadays pretty much everyone is using one or more social media related app. I wrote an article for ISSA that was published today at the ISSA Journal July issue. In this article I go over the security considerations regarding the use of social media and how to increase your security.
If you are an ISSA member, you can download the entire magazine, if you are not, you can download this article from here.
Just to answer the question from the title, I believe the answer should be No! And recommend following Microsoft guidance to force smart card use on administrative credentials and have rarely used emergency access accounts to handle the bullet points outlined later in this blog. I’m not going to rewrite what has already been discussed in depth around this topic. for more info check out Securing Privileged Access Reference Material
On any day I get a number of questions and like many of you I spend time searching the interwebs for the answer. Sometimes I find the answer and a lot of times I do not.
I received this question, and have had this discussion multiple times with other admins about the following issues that could occur if they set this flag on a server or domain controller.
So now back to the question. What happens if I set this on a Domain Controller? I’m going to break my lab so that you don’t have to.
In this scenario I built one Domain Controller, created a generic domainforest and set this setting in the Default Domain Controller GPO
After running a gpupdate /force, I validated the setting was applied on the DC
And to make sure this applies I rebooted the domain controller.
I then tried logging onto the Domain Controller, with the Domain Built-in Administrator account.
So now I cant log onto my one and only Domain Controller because the only account in the domain does not have a smartcard. For grins I shutdown the domain controller and booted it into safe mode. I’m hoping this will let me log on without a smart card.
It does and I’m able to get back onto the system.
Since I tested this with a gpo, I would need to modify the gpo to resolve the issue. But if I applied a security template locally, leveraging safe mode will let me back into the system so that I can back out the change.
This is a short and sweet post, I hope you find this info useful and hopefully it will help you move forward with planning your smart card deployment.
Additional Resources: Log On in Safe Mode to Configure the Computer for Password Logon
Your profitability in the cloud has been a priority for the Microsoft Partner Network for the past few years. Earlier this year, we began releasing new IDC research commissioned by Microsoft as a series of eBooks about the modern Microsoft partner. And, in response to requests from partners to provide them with deeper guidance about building a profitable cloud practice, the US Partner Team now has the cloud ready initiative, built in collaboration with the Microsoft Worldwide Partner Group and Microsoft partner Meylah.
Over the past three months, we have engaged more than 300 US partners in the cloud ready initiative, and helped them identify about $18 million in cloud-based revenue.
Defining the cloud ready business
What does it mean to have a cloud ready business? It means that your business has the ability to attract new customers and generate recurring revenue by offering solutions and services that scale easily to meet customer demand.
Cloud ready partners create and sell more packaged offerings and services, with ISV solutions included. For ISV partners, cloud readiness includes offering a partner program that provides margins to partners such as managed services providers and systems integrators, companies that can help drive new monthly recurring revenue streams.
Assess your cloud readiness
The new Cloud Ready Business Toolkit includes a 15-minute assessment that provides you with a report card. This assessment will help you identify areas to invest resources and budget, and provide you with a 100-day action plan so you can start winning cloud customers.
All of the partners we have worked with so far in our cloud ready initiative started their cloud transformation journey by taking the assessment. I encourage you to take that first step too.
Take the cloud ready assessment at aka.ms/iamcloudready
Cloud ready at WPC 2016
If you’re attending WPC in Toronto, take the assessment and bring your report card with you to discuss your results.
Attend session US04, Building a #cloudready business
Join Karen Fassio and me for this session on Tuesday at 1:00PM or Wednesday at 1:00PM and learn how to incorporate managed services, build and package your IP, and partner with ISVs to capitalize on the cloud opportunity.
The session will include a panel with partners Invitix, Meylah, and SkyKick,who will share their insights about how they made the transition to the cloud, the roadblocks they experienced, and how they are helping partners transform their business.
Add session US04 to your schedule in Connect
Meet the #cloudready consultants in the US Regional Lounge
In the US Regional Lounge, Karen, our partner panelists, and I will be available to talk about your cloud ready assessment results. Bring your report card and meet us during these hours:
I encourage you to review the Cloud Ready Business Toolkit, take the assessment, and use your results and action plan to identify your opportunities for business growth in the cloud. If you haven’t downloaded the Modern Microsoft Partner eBooks, those are also essential resources for every partner.
Share your plans about building your #cloudready business with me by email at sharonl@microsoft.com, Twitter (@whatsup_sharon), LinkedIn, and Yammer.
(この記事は 2016 年7 月1 日にMicrosoft Partner Network blog に掲載された記事 Three tools for making the most of your Internal Use Rights の翻訳です。最新情報についてはリンク元のページをご参照ください。)
社内使用ライセンス (IUR) は、マイクロソフト アクション パック パートナー様やコンピテンシー パートナー様に提供される多数の魅力的な特典のうちの 1 つです。IUR を活用すると、パートナー様のチームはマイクロソフトの最新のソフトウェアを使用できるため、お客様が求めるクラウド サービスやオンプレミス ソリューションを実際に体験して知識を身に付けることができます。IUR の特典によって新しいソリューションを試用し、営業チームやマーケティング チームのトレーニングを行うことで、販売効率が最大 3 倍に向上するという調査結果も出ています。
今すぐにでも利用しない手はありません。
IUR の利用方法や、利用できる種類がわからない場合は、以下のリソースを使用して IUR のご利用を開始してください。
アクション パック パートナー様 (英語) およびコンピテンシー パートナー様 (英語) 向けのライセンス表を参照して、IUR ライセンスの割り当てを把握します。
付与されているライセンス数、追加のシートを入手または購入する方法、利用できるソフトウェア ソリューションの種類を確認します。オンラインとオンプレミスのソフトウェア ライセンスを組み合わせることも可能です。また、コンピテンシー パートナー様のライセンス表では、生産性向上を支援するためのソリューションなどの特典を確認することもできます。
付与されているライセンスの種類やライセンス数を把握することは簡単ではありません。そのため、現在どの特典を利用できるか確認する際には、ぜひ上記の表をご活用ください。
利用できる IUR の種類を把握したら、すぐにアクティブ化しましょう。
IUR にアクセスしてアクティブ化する方法については、以下の動画をご覧ください。
パートナー様のメンバーシップに提供される IUR の種類を確認する方法から、Digital Download ポータルからダウンロードする方法まで、すべての手順を段階的に説明しています。IUR を活用して生産性と販売効率を最大限に高めるためには、まずこの動画を参考にして、ご自身の企業で利用できる Office 365、Azure、Dynamics Online、Enterprise Mobility Suite のライセンスの種類とライセンス数をご確認ください。
パートナー様のチームが IUR 特典を利用する際には、管理者がサポート方法を理解している必要があります。ソフトウェアおよびクラウド サービスの特典に関する製品ご利用ガイドをダウンロードして、社内使用ライセンスを最大限に活用するために必要な詳細情報を確認しましょう。
社内使用ライセンスを活用すれば、パートナー様のチームは自らが販売、サポートしているテクノロジ ソリューションにどのような魅力があるのかを理解し、十分なトレーニングを積むことができます。しかも、追加コストは発生しません。皆様が利用できるすべての IUR 特典を今すぐ確認して、ぜひご活用ください。生産性と収益性の向上をきっと実現できるはずです。
Problem:
Configuration Manager 2012 applications that were previously deployed no longer show as successes when looking at the MonitoringDeployments section for a particular application. You will most likely see a majority of errors with no state messages there explaining the cause.
Environment Issue Seen: System Center Configuration Manager 2012 (up to 1511)
Symptoms:
Using the console to run the report Software Distribution – Application MonitoringApplication infrastructure errors for an applications with missing state messages the report will show a large number of the error ‘CI Version Info Timed Out’.
Additionally, in the CIAgent.log for a client that is missing state messages this same error will be shown.
Resolution:
On a client with this issue find the entry in the CIAgent.log with a line similar to the following example:
CIAgentJob({9148AA4C-9523-4482-9F85-50EF84B5E106}): CAgentJob::VersionInfoTimedOut for ModelName ScopeId_BB07E0A0-9C6F-4683-B902-5DA067E71FCA/Application_679af1dd-cbb4-4b2e-8ea5-cdc0b476cf14, version 3 not available.
To find the application associated with this error open the CM console and follow these steps:
The application associated with the error should show in the results.
Removing the deployments associated with this application AND any task sequences deployments that contain this application should resolve the error and allow each affected client to resume sending state messages for applications that have been previously installed. Note that if multiple applications have an issue on that client you may have to go through this process several times until no errors of this type are found in the client CIAgent.log.
I believe this kind of situation may be caused by the way the CM client application state does its evaluation where an error with a particular application may cause an error in the batch process and prevent state messages for that client from being sent to the server.
Hopefully this advice helps. In my experience, state messages for affected clients will return in the next day or so after the next application state evaluation cycle runs. For more immediate results it may be useful to trigger the application state evaluation on a particular client and then check the details for that client within the MonitoringDeployments section for an application that is deployed to it. The details will show for that client before the overall status for that client is updated in the Summarization view.
Reference to an article with a similar situation:
No warranty is implied with this information.
Find out what’s new for Microsoft partners. We’ll connect you to resources that help you build and sustain a profitable cloud business, connect with customers and prospects, and differentiate your business. Read previous issues of our online newsletter
We provide real-time updates about the topics covered in this newsletter and other partner-related news and information on our US Partner Community Twitter channel.
To stay in touch with me and connect with other partners and Microsoft sales, marketing, and product experts, join our US Partner Community on Yammer and see other options to stay informed.
Top stories
Attending WPC 2016? Connect with the US Partner Team
We’re excited to welcome US Partners to WPC 2016 and the experiences we’ve created for you. Read our blog post that summarizes the essential resources to download for WPC and the activities for US Partners. While at WPC, stop by the US Regional Lounge for activity details, to pick up your wristband for the US party, to participate in our P2P Connection Booth, and more.
Watch the WPC 2016 Vision Keynotes online
Even if you’re not able to join us in Toronto for WPC 2016, you’ll want to hear what Satya Nadella, Gavriella Schuster, Judson Althoff, and other Microsoft senior executives have to say about the year ahead for Microsoft and its partners. On Monday, Tuesday, and Wednesday mornings from 8:40AM–10:45AM Eastern Time (5:40AM–7:45AM Pacific Time), tune in to watch live.
Announcing the Secure Productive Enterprise
Secure Productive Enterprise brings Office 365, Windows 10 Enterprise, and the Enterprise Mobility + Security suite together into a single licensing offering that replaces Enterprise Cloud Suite and introduces even more value. With the Secure Productive Enterprise, customers have the latest and most advanced technology for empowering employees.
Microsoft Enterprise Mobility Suite is now Microsoft Enterprise Mobility + Security
Microsoft Enterprise Mobility + Security more accurately communicates the value of this suite to secure productivity, collaboration, and enterprise data. Microsoft EMS protects at the “front door,” protects data from user mistakes, and detects attacks before they cause damage.
Announcing Enterprise Advantage on MPSA
The Microsoft Products and Services Agreement (MPSA) and Cloud Solution Provider (CSP) are the fastest and most flexible ways to acquire Microsoft licenses. In 2017, Enterprise Advantage on MPSA will be added as a new way for commercial customers to buy organization-wide.
Building a cloud ready partner business
Cloud ready partners create and sell more bundled offerings and services with ISV solutions included. For ISV partners, cloud readiness includes offering a partner program that provides margins to partners such as managed services providers and systems integrators who can help drive new monthly recurring revenue streams.
Demonstrate your expertise with a Microsoft competency
Microsoft competencies are designed to meet your customers’ needs and be recognizable to prospective ones. Competencies are now aligned to six centers of excellence that align to your partner business needs.
Digital Partner of Record and Partner Association
Now, multiple partners can get credit for driving customer cloud consumption. We’ve made program enhancements to benefit all partners involved in a cloud subscription. With DPOR and new Partner Association methods, multiple partners can be recognized for the value they add to customers’ cloud subscriptions, and everyone benefits.
Five reasons you should be using account based marketing
Increase alignment between your sales and marketing teams by implementing account-based marketing (ABM). ABM allows you to go deeper with fewer prospects and can help you take your marketing from a cost center to a profit center.
Three tools for making the most of your Internal Use Rights
Having internal use rights (IURs) is one of the many great benefits of being a Microsoft Action Pack or competency partner. With your IURs, you and your team can use the latest Microsoft software to get firsthand knowledge of the cloud services and on-premises solutions your customers need. Research shows that by testing your new solutions and training your sales and marketing teams through your IUR benefits, you can sell up to three times more.
Hello everyone. It’s Rafal Sosnowski from Microsoft Dubai Security PFE Team. Today, I am going to talk about TPM Lockout state.
TPM (Trusted Platform Module) is a small chip on the motherboard (discrete TPM) or part of the CPU implementation (firmware TPM) which can be used to securely store small amount of information (certificates, private keys, virtual smartcards, Bitlocker keys etc.). That data is completely isolated from OS level thus giving it maximum protection.
To get access to that information user has to present some kind of authorization value. For example, Bitlocker PIN to get access to the Bitlocker Keys, Virtual smart-card PIN to get access to the certificates and private keys etc.
However, TPM has special anti-hammering logic which prevents malicious user from guessing that authorization data indefinitely. Number of possible PIN failures varies across TPM specification:
Assuming you failed 32 times to enter correct Bitlocker PIN you will see message saying “Too many PIN entry attempts”:
TPM can be locked out by any application / software component that uses keys stored in the TPM and protected by PIN/password. For example, we can produce secure data-blobs, encrypted by the keys generated in the TPM. Access to these keys depending on administrator’s configuration will require or request a PIN:
Other example is use of Virtual Smartcards, where certificate alongside with private key is stored in the TPM. Starting from Windows 8.1 , Virtual Smartcards have their own lockout logic, where user has only 5 possible tries. Still, each attempt will increment the TPM counter by 1, however it is less possible that TPM gets locked out.
If your TPM got locked out, it means it will not accept any authorization data, even if it’s correct (correct PIN).
Now you have 4 solutions:
1) Unlock the TPM using the TPM.msc and TPM Owner Password.
2) Wait some time and enter correct PIN (TPM 2.0 will forget 1 attempt every 2 hours)
3) Wait x hours to completely reset TPM lockout counter (for TPM 2.0: 64 hours)
4) Clear TPM (that means all your data stored in TPM will be lost)
If your TPM is locked, you will see its status in the “tpm.msc” as “Ready for use with limited functionality”.
Note: “Ready for use with limited functionality” might also mean that TPM has been initialized by the previous operating system. So it is always better to check the status using PowerShell:
Get-TPM
Since Windows 10 (1511) we have added also lockout counters (for TPM 2.0) shown in above screenshot.
To unlock the TPM from tpm.msc you need to be an administrator of the machine and be in possession of the TPM Owner Password. We will talk about TPM Owner Password in details in one of the future posts.
Of course this method will not work when TPM is locked out by Bitlocker PIN (before you get into the Windows). For Bitlocker related lockouts you need to wait as there is no working workflow to unlock the TPM in this scenario, except using other protector, for instance 48-digit Recovery Password to get into Windows.
Some of you probably have already noticed 3 new GPO policies (added in Windows 8) that supposed to influence the TPM build-in anti-hammering logic by introducing some kind of software layer that would accumulate failed PIN attempts before forcing TPM into hardware lockout. Idea is to reduce number of true, hardware lockouts. However, according to my tests these policies don’t work on any of the tested systems (Win8, Win8.1, Win10) so I am trying to get confirmation from our developers what’s going on. Once I get some information I will update this post.
GPO I am talking about can be located in:
Computer ConfigurationAdministrative TemplatesSystemTrusted Platform Module Services
Standard User Individual Lockout Threshold (default: 4)
Standard User Total Lockout Threshold (default: 9)
Standard User Lockout Duration (default 8 hours)
Hope this post was informative for you and I wish you good day.
IT 専門調査会社の IDC 社が、マイクロソフトの協力のもと、クラウド シフトを実現している IT ベンダーへの調査を行い、その結果を「成功するクラウドパートナー」という冊子にまとめました。
クラウド事業を実施するにあたり、収益構造はどのように変化するのか、組織はどのようにすればいいのか、営業マンの報酬体系はどうすべきかなど、さまざまな検討すべき事項についてのヒントをわかりやすくまとめています。ぜひご一読ください。
▼【ホワイトペーパー】成功するクラウドパートナー 2.0 はこちらから
If you’re a UK WPC registered partner, be sure to drop by the UK Lounge on Monday 11th between 4.30 and 6pm to take part in our Partnering for Growth initiative.
Whether you have technology or IP and are looking to connect with another partner who can offer scale – or you’re looking for a specialist in Voice, don’t miss this opportunity to connect with other partners – we’re serving drinks and hopefully helping you to connect.
Look forward to seeing you.
Asking the question is answering it: no, it doesn’t. This is so natural that you never think about it until you really start considering it. The fact is, you need an interactive logon to process GPO or logon scripts. So other kinds of logon such as service logon or network logon do not have GPO applied. The same goes for managed service accounts (both kinds): no GPO.
Even stranger is that we don’t seem to have this factoid documented. So until something better comes along, I guess this is it! Feel free to let me know if you find a solid reference.
Kreativ, innovativ und bereit, für das Gelingen des eigenen Projekts den entscheidenden Schritt weiter zu gehen: Das charakterisiert die acht Start-ups, die Ende Juni die 5. Klasse des Microsoft Accelerator-Programms abgeschlossen haben, mehr als treffend.
Die Bandbreite der Themen, denen sich die jungen Gründer-Teams verschrieben haben, war auch in diesem Jahr sehr groß: Von der Gesundheits-App über den Logistik-Helfer bis hin zum Musik-Sharing war alles vertreten.
In den vergangenen vier Monaten haben die Teams in der Gründer-Etage von Microsoft Berlin im Office Unter den Linden an ihren Projekten gearbeitet, Workshops und Coachings absolviert und sich akribisch auf die nächsten Schritte vorbereitet. Wir haben sie im Anschluss an die erfolgreiche Präsentation ihrer Projektideen und Geschäftsmodelle bei der Demo-Night besucht und sie danach gefragt, wovon sie in den letzten Monaten am meisten profitiert haben.
„Eine großartige Erfahrung, die uns dabei geholfen hat, ein Netzwerk hier in Deutschland aufzubauen”, sagt Daniel Jadraque, CEO von Datary.
„Wir konnten durch den Accelerator mehr Reichweite gewinnen und neue Kooperationen mit verschiedenen Partnern schließen“, sagt Benjamin Pochhammer, COO bei Caspar.
„Das Knüpfen neuer Kontakte zum Microsoft-Netzwerk und zu Partnern sowie das Lernen technischer Expertise waren für uns besonders hilfreich“, so Stylianos Chiotellis, CEO bei Factor-E.
„Wir haben insbesondere von der Azure Cloud-Plattform profitiert und natürlich von dem Start-up-Standort Berlin“, meint André Sommer, CEO bei HiDoc.
Weitere Informationen zum Microsoft Accelerator finden Sie hier. Informationen zu den Start-ups der 5. Klasse des Microsoft Accelerators haben wir hier für Sie bereitgestellt.
Ein Beitrag von Pina Kehren
Communications Manager Mobile Devices, Digital Education & Innovation
Overview
If you run Linux guest VMs on Hyper-V, you may wonder about how to get the “best” Linux Integration Services (LIS) for your Linux distribution and usage scenario. Getting the “best” is a bit nuanced, so this blog post gives a detailed explanation to enable you to make the right choice for your situation.
Microsoft has two separate tracks for delivering LIS. It’s important to understand that the tracks are separate, and don’t overlap with each other. You have to decide which track works best for you.
“Built-in” LIS
One track is through the Linux distro vendors, such as Red Hat, SUSE, Oracle, Canonical, and the Debian community. Developers from Microsoft and the Linux community at large submit LIS updates to the Linux Kernel Mailing List, and get code review feedback from the Linux community. When the feedback process completes, the changes are incorporated into the upstream Linux kernel as maintained by Linus Torvalds and the Linux community “maintainers”.
After acceptance Microsoft works with the distro vendors to backport those changes into whatever Linux kernel the Linux distro vendors are shipping. The distro vendors take the changes, then build, test, and ultimately ship LIS as part of their release. Microsoft gets early versions of the releases, and we test as well and give feedback to the distro vendor. Ultimately we converge at a point where we’re both happy with the release. We do this with Red Hat, SUSE, Canonical, Oracle, etc. and so this process covers RHEL, CentOS, SLES, Oracle Linux, and Ubuntu. Microsoft also works with the Debian community to accomplish the same thing.
This track is what our documentation refers to as “built-in”. You get LIS from the distro vendor as part of the distro release. And if you upgrade from CentOS 7.0 to 7.1, you’ll get updated LIS with the 7.1 update, just like any other Linux kernel updates. Same from 7.1 to 7.2. This track is the easiest track, because you don’t do anything special or extra for LIS – it’s just part of the distro release. It’s important to note that we don’t assign a version number to the LIS that you get this way. The specific set of LIS changes that you get depends on exactly when the distro vendor pulled the latest updates from the upstream Linux kernel, what they were able to include (they often don’t include every change due to the risk of destabilizing), and various other factors. The tradeoff with the “built-in” approach is that you won’t always have the “latest and greatest” LIS code because each distro release is a snapshot in time. You can upgrade to a later distro version, and, for example, CentOS 7.2 will be a later snapshot than CentOS 7.1. But there are inherent delays in the process. Distro vendors have freeze dates well in advance of a release so they can test and stabilize. And, CentOS, in particular, depends on the equivalent RHEL release.
End customer support for “built-in” LIS is via your Linux distro vendor under the terms of the support agreement you have with that vendor. Microsoft customer support will also engage under the terms of your support agreement for Hyper-V. In either case, fixing an actual bug in the LIS code will likely be done jointly by Microsoft and the distro vendor. Delivery of such updated code will come via your distro vendor’s normal update processes.
Microsoft LIS Package
The other track is the Microsoft-provided LIS package, which is available for RHEL, CentOS, and the Red Hat Compatible Kernel in Oracle Linux. LIS is still undergoing a moderate rate of change as we make performance improvements, handle new things in Azure, and support the Windows Server 2016 release with a new version of Hyper-V. As an alternative to the “built-in” LIS described above, Microsoft provides an LIS package that is the “latest and greatest” code changes. We provide this package backported to a variety of older RHEL and CentOS distro versions so that customers who don’t stay up-to-date with the latest version from a distro vendor can still get LIS performance improvements, bug fixes, etc. And without the need to work through the distro vendor, the Microsoft package has shorter process delays and can be more “up-to-date”. But note that over time, everything in the Microsoft LIS package shows up in a distro release as part of the “built-in” LIS. The Microsoft package exists only to reduce the time delay, and to provide LIS improvements to older distro versions without having to upgrade the distro version.
The Microsoft-provided LIS packages are assigned version numbers. That’s the LIS 4.0, 4.1 (and the older 3.5) that you see in the version grids in the documentation, with a link to the place you can download it. Make sure you get the latest version, and ensure that it is applicable to the version of RHEL/CentOS that you are running, per the grids.
The tradeoff with the Microsoft LIS package is that we have to build it for specific Linux kernel versions. When you update a CentOS 7.0 to 7.1, or 7.1 to 7.2, you get changes to the kernel from CentOS update repos. But you don’t get the Microsoft LIS package updates because they are separate. You have to do a separate upgrade of the Microsoft LIS package. If you do the CentOS update, but not the Microsoft LIS package update, you may get a binary mismatch in the Linux kernel, and in the worst case, you won’t be able to boot. The result is that you have extra update steps if you use the Microsoft provided LIS package. Also, if you are using a RHEL release with support through a Red Hat subscription, the Microsoft LIS package constitutes “uncertified drivers” from Red Hat’s standpoint. Your support services under a Red Hat subscription are governed by Red Hat’s “uncertified drivers” statement here: Red Hat Knowledgebase 1067.
Microsoft provides end customer support for the latest version of the Microsoft provided LIS package, under the terms of your support agreement for Hyper-V. If you are running other than the latest version of the LIS package, we’ll probably ask you to upgrade to the latest and see if the problem still occurs. Because LIS is mostly Linux drivers that run in the Linux kernel, any fixes the Microsoft provides will likely be as a new version of the Microsoft LIS package, rather than as a “hotfix” to an existing version.
Bottom-line
In most cases, using the built-in drivers that come with your Linux distro release is the best approach, particularly if you are staying up-to-date with the latest minor version releases. You should use the Microsoft provided LIS package only if you need to run an older distro version that isn’t being updated by the distro vendor. You can also run the Microsoft LIS package if you want to be running the latest-and-greatest LIS code to get the best performance, or if you need new functionality that hasn’t yet flowed into a released distro version. Also, in some cases, when debugging an LIS problem, we might ask you to try the Microsoft LIS package in order to see if a problem is already fixed in code that is later than what is “built-in” to your distro version.
Here’s a tabular view of the two approaches, and the tradeoffs:
| Feature/Aspect | “Built-in” LIS | Microsoft LIS package |
| Version Number | No version number assigned. Don’t try to compare with the “4.0”, “4.1”, etc. version numbers assigned to the Microsoft LIS package | LIS 4.0, 4.1, etc. |
| How up to date? | Snapshot as of the code deadline for the distro version | Most up-to-date because released directly by Microsoft |
| Update process | Automatically updated as part of the distro update process | Requires a separate step to update the Microsoft LIS package. Bad things can happen if you don’t do this extra step. |
| Can get latest LIS updates for older distro versions? | No. Only path forward is to upgrade to the latest minor version of the distro (6.8, or 7.2, for CentOS) | Yes. Available for a wide range of RHEL/CentOS versions back to RHEL/CentOS 5.2. See this documentation for details on functionality and limitations for older RHEL/CentOS versions. |
| Meets distro vendor criteria for support? | Yes | No, for RHEL. Considered “uncertified drivers” by Red Hat. Not an issue for CentOS, which has community support. |
| End customer support process | Via your distro vendor, or via Microsoft support. LIS fixes delivered by distro vendor normal update processes. | Via Microsoft support per your Hyper-V support agreement. Fixes delivered as a new version of the Microsoft LIS package. |
Issue: After the recent release of the Office Deployment Tool version 16.0.7118.5775 users are seeing issues with installs/updates due to not having the V32.cab data file come down with the source files download.
Errors seen are 30029.1011 and a few other issues all stemming from the missing v32.cab file.
NOTE: The engineering team is aware of this issue and working on releasing an updated version of the Office Deployment Toll as soon as possible.
Workaround: The current workaround is to copy, duplicate, and rename the copied v32_16.0.xxxx.xxx.cab to v32.cab (See Below)
Step 1: Source file location after the initial download. As stated above you’re missing the v32.cab file.
Step 2: Copy, and then paste the copied version seen below.
Step 3: Then rename the resulting copied V32_versoned.cab to v32.cab to allow Install/Updates to continue as expected.
Microsoft hat im Juli elf Sicherheitsupdates veröffentlicht, von denen sechs als „kritisch“ und fünf als „wichtig“ eingestuft werden. Die Updates schließen Sicherheitslücken in Microsoft Windows (Client und Server), Microsoft Office (Mac und Windows), Internet Explorer und Edge sowie .NET Framework.
Es wurden im Juli keine neuen Sicherheitshinweise (Securiy Advisories) veröffentlicht.
Wir raten dazu, dass Anwender alle Updates installieren. Weitere Informationen zu den Sicherheitsupdates dieses Monats, inklusive der detaillierten Angaben zum Exploit Index (XI) pro Schwachstelle, finden sich auf der Übersichtsseite der Microsoft Bulletins. Sollten Sie nicht wissen, wie wir den XI berechnen, dann finden Sie auf dieser Seite alle Details.
1. “Windws Server 백업” 기능 설치
역할 및 기능 추가 마법사 실행 > “다음” 버튼 을 클릭합니다.
“다음” 버튼을 클릭합니다.
백업 할 서버에 “Windows Server 백업” 기능을 설치 해야 하므로 “서버 풀”에서 백업 할 서버를 선택하고 “다음”버튼을 클릭합니다.
“다음: 버튼을 클릭합니다.
“기능” 에서 “Windows Server 백업”을 선택하고 “다음”버튼을 클릭합니다.
“설치” 버튼을 클릭합니다.
“Window Server 백업” 기능 설치가 진행됩니다. 완료 후에 닫기 버튼을 클릭합니다. 재 시작 합니다.
백업을 위해 DPM이 설치된 서버에 디스크를 붙여야 합니다.
2. DPM 에이전트 설치
DPM 콘솔을 실행 합니다. “관리” 를 선택합니다.
“에이전트”를 선택하면 상단에 나타나는 “설치” 버튼을 클릭 합니다.
“보호 에이전트 설치 마법사”창이 나타납니다. “에이전트 설치”를 선택하고 “다음”버튼을 클릭합니다.
왼쪽에있는 컴퓨터 목록에서 DPM 에이전트를 설치 할 서버들을 선택해서 “추가”버튼을 클릭합니다. “다음” 버튼을 클릭합니다.
계정 및 암호를 입력하고 “다음” 버튼을 클릭합니다.
“예, 보호 에이전트를 설치한 후 선택한 컴퓨터를 다시 시작합니다”를 선택하고 “다음” 버튼을 클릭합니다.
작업 내용을 확인한 후 “설치” 버튼을 클릭합니다.
DPM 에이전트 설치가 진행됩니다.
완료 후 “닫기” 버튼을 클릭합니다.
DPM 콘솔에서 에이전트가 설치 된 컴퓨터가 보입니다.
3. DPM 백업에 사용 할 디스크 설정
“디스크”를 선택하면 상단에 나타나는 “추가” 버튼을 클릭합니다.
“저장소 풀에 디스크 추가” 창이 나타납니다. “사용 가능한 디스크” 목록에서 사용 하고자 하는 디스크를 선택하고 “추가” 버튼을 클릭합니다.
“확인” 버튼을 클릭합니다. 경고 창이 나타나면 “예” 버튼을 클릭합니다.
디스크 추가가 진행 됩니다.
디스크가 정상적으로 추가 된 것을 확인 할 수 있습니다.
4. 백업(보호 그룹 만들기)
DPM관리 콘솔에서 “보호” 를 선택합니다.
보호 그룹을 선택하고 상단에 나타나는 “새로 만들기” 버튼을 클릭합니다.
“새 보호 그룹 만들기” 창이 나타납니다. “다음” 버튼을 클릭합니다.
보호 그룹 종류에서 “서버”를 선택하고 다음 버튼을 클릭합니다.
그룹 구성원에서 보호 할 구성원들을 선택합니다. 선택 후 “다음”버튼을 클릭합니다.
데이터 보호 방법에서 “보호 그룹 이름”을 입력하고, 보호 방법은 “다음을 사용한 단기 보호 사용” 에서 “디스크” 를 선택합니다.
“다음” 버튼을 클릭합니다.
단기 목표 지정에서 “보존 범위”, “동기화 빈도” 등을 설정하고 “다음” 버튼을 클릭합니다.
디스크 할당 검토에서 “볼륨 자동 증가”를 선택하고 “다음” 버튼을 클릭합니다.
복제본 만들기 방법 선택에서 “네트워크를 통해 자동으로” 에서 “지금”을 선택 합니다. 그리고 “다음” 버튼을 클릭합니다.
일관성 확인 옵션에서 “복제본이 일관되지 않을 경우 일관성 확인 실행”을 선택하고 “다음” 버튼을 클릭합니다.
요약 정보를 확인 후 “그룹 만들기” 버튼을 클릭합니다.
보호 그룹 만들기가 진행 됩니다.
보호 그룹 만들기가 완료 되면 “담기”버튼을 클릭합니다.
DPM 관리 콘솔에서 새로 만든 보호 그룹을 확인 할 수 있습니다. 복제본 만드는 작업이 진행 됩니다.
보호 그룹에 대한 복제본이 모두 정상적으로 만들어 젔습니다.
5. 복구
DPM 콘솔에서 “복구”를 선택 합니다.복구 하고자 하는 컴퓨터를 선택하고 “모든 DPM 보호 데이터” > “System Protection”를 선택 합니다. 복구 할 지점을 선택하고, DPM 콘솔 하단에 “복구 가능한 항목” 에서 “Bare Metal Recovery” 선택합니다.
“Bare Metal Recovery” 선택하고 마우스 오른쪽 버튼을 클릭하고 나타나는 팝업 메뉴에서 “복구…”를 선택 합니다.
“복구 마법사” 창이 나타납니다. “다음”버튼을 클릭합니다,
복구 유형에서 “네트워크 폴더에 복사”를 선택하고 “다음”버튼을 클릭합니다.
대상지정에서 “대상” 오른쪽 “찾아보기” 버튼을 클릭합니다.
“대체 복구 대상 지정” 에서 “Recovery” 선택 하고 “확인” 버튼을 클릭합니다.
대상 및 대상 경로를 확인 후 “다음” 버튼을 클릭합니다.
복구 옵션 지정에서 “보안 복원”, “네트워크 대역폭 사용 제한” 등 을 설정하고 “다음” 버튼을 클릭합니다.
요약 정보를 확인 하고 “다음” 버튼을 클릭합니다.
복구가 진행 됩니다.
복구 완료 후 “닫기” 버튼을 클릭합니다.
만들어진 복구 폴더에 공유 권한을 지정 합니다. 아래 그림 처럼 생성된 복구 폴더 내에 있는 “DPM_Recovered_At_XXXXXXXX”를 선택하고 마우스 오른쪽 버튼을 클릭하여 “속성”을 선택 합니다.
폴더 속성에서 “공유” 탭을 선택하고 “고급 공유” 버튼을 클릭합니다. 고급 공유 창에서 “선택한 폴더 공유”에 체크하고 “권한” 버튼을 클릭합니다.
그룹 또는 사용자 이름에서 “Everyone” 을 추가 하고 사용 권한은 “읽기” 권한 만 체크하고 “확인”버튼을 클릭합니다.
6. Host Server 복구 테스트
복구 테스트를 진행 할 Server의 하드 디스크를 포멧 또는 삭제 합니다.
복구를 위해 Windows Server 2012R2 설치 CD 또는 USB를 이용하여 설치 과장을 진행합니다. 아래 그림과 같은 과정에서 “다음” 버튼을 클릭합니다.
아래 그림과 같은 화면에서 왼쪽 하단의 “컴퓨터 복구”를 클릭합니다.
“문제 해결”를 클릭합니다.
“시스템 이미지 복구” 를 클릭합니다.
아래 그림과 같이 경고 창이 나타나면 “다시 시도” 버튼을 클릭합니다.
하단의 “시스템 이미지 선택”을 선택하고 “다음” 버튼을 클릭합니다.
아래와 같은 화면에서 “고급” 버튼을 클릭합니다.
아래 그림과 같이 “이미지로 컴퓨터 다시 설치” 창이 나타나면 “네트워크에서 시스템 이미지 검색”을 선택합니다.
“네트워크에 연결 하시겠습니까?” 라는 경고 창이 나타나면 “예”를 클릭합니다.
네트워크 연결을 진행합니다. 기본적으로 복구를 위해서 DHCP가 구성 되어 있어야 합니다. 만약 DHCP구성이 안되어 있다면 “고급” 버튼을 클릭하여 수동으로 네트워크를 설정해야 합니다.
네트워크 연결이 완료 된 후 아래 그림과 같이 “네트워크 폴더”에 복구 파일이 있는 폴더의 위치를 입력하고, “확인” 버튼을 클릭합니다.
“네트워크 자격 증명 입력”에서 도메인 계정 및 암호를 입력히고 “확인” 버튼을 클릭합니다.
아래 그림과 같이 복구 파일 정보가 나타납니다. 복구 할 파일을 선택하고 “다음” 버튼을 클릭합니다.
아래 그림과 같이 정보 호가인 후 “다음” 버튼을 클릭합니다.
“다음” 버튼을 클릭합니다.
“마침” 버튼을 클릭합니다.
컴퓨터 복구가 진행 됩니다.
복구 완료 후 호스트 서버가 정상적으로 동작 합니다.
### 참고 사항 ###
Host Server 복구를 위해서는 DHCP 구성이 필수 입니다. 만약 DHCP 구성이 안되어 있다면 아래 그림과 같이 수동으로 네트 워크를 설정해야 합니다.
To switch the specified adapter from a static address to DHCP, type the following command:
netsh interface ip set address “Local Area Connection” dhcp
NOTE: Typing this command changes the interface named “Local Area Connection” to DHCP.
To display all of the adapters in the computer with their current IP addresses to determine the correct adapter name, type the following command:
Netsh interface ip show config
To change to a static address, type the following command:
netsh interface ip set address “Local Area Connection” static ipaddr subnetmask gateway metric
NOTE: Replace ipaddr with the static IP address, subnetmask with the subnet mask, gateway with the default gateway and, if necessary, metric with the appropriate metric. The following example changes the interface “Local Area Connection” to a static address of 192.168.0.10 with a subnet mask of 255.255.255.0, and the interface has a default gateway of 192.168.0.1 with a metric of 1:
netsh interface ip set address “Local Area Connection” static 192.168.0.10 255.255.255.0 192.168.0.1 1
안녕 하세요 이번 포스팅에서는 SCOM 2012 R2 에서 Linux 서버에 대한 모니터링을 하기 위하여 Agent 배포 하는 방법에 대하여 포스팅 해보도록 하겠습니다.
Linux Agent 사전 설치 되어야 목록
CentOS
*CentOS에 경우 Agent 를 배포 하기 위해선 Development-> Development Libraries, Development Tools가 설치 되어 있어야 합니다.
*SSH 접속 필수
Ubuntu
Ubuntu의 경우 Openssh Server 를 설치를 해야 합니다.
설치 명령에는
sudo apt-get install openssh-server 를 입력 합니다.
그리고 만약 Package openssh-server has no installaion candidate 오류가 출력이 되면 sudo apt-get update 명령을 입력 한 후 다시 Openssh Server 설치 명령을 내려 주시면 됩니다.
*SSH 접속 필수
방화벽:
TCP/IP Port: 1270, 22 inbound 허용 해야 됨
*SCOM 서버 DNS 쿼리 시 Linux 서버의 정보 있어야 함
아래 링크를 이용 하여 SCOM 2012 R2 Linux/UNIX MP 다운로드
다운로드: https://www.microsoft.com/en-us/download/details.aspx?id=29696
다운 받은 MP 실행
I Accept 선택 후 Next 버튼을 클릭
Everyone 선택을 한 후 Next 버튼을 클릭 합니다.
Install 버튼클릭 합니다.
설치가 진행 중입니다.
설치가 완료 되면 Close 버튼 클릭 합니다.
SCOM Console 을 이용 하여 SCOM 서버 접속
Administration -> Management Packs 메뉴를 클릭을 한 후 Task 메뉴에 있는 Import Management packs…를 클릭 합니다.
Add -> Add from disk.. 를 선택 합니다.
온라인 카테고리 연결을 확인 하려면 yes 버튼을 클릭 합니다.
온라인 카테고리에 연결 중 입니다.
경로인 C:Program Files (x86)System Center Management PacksSystem Center 2012 R2 Management Packs for UNIX and Linux를 선택 합니다.
아래 MP 를 선택 한 후 Open 버튼을 클릭 합니다.
추가가 되었으면 Install 버튼을 클릭 합니다.
MP 추가가 진행 중입니다.
MP 추가가 완료 되었습니다. Close 버튼을 클릭 합니다.
이제 Linux 를 모니터링 하기 위하여 Resource pool 을 생성 합니다.
Administration ->Resource Pools를 선택 한 후 오른쪽 액션 바에 있는
Create Resource Pool..을 클릭을 합니다.
이름에 Unix Linux Monitoring Pool을 입력 한후 Next 버튼을 클릭 합니다.
Pool Membership 에는 Add.. 버튼을 클릭 하여 현재 SCOM 2012 가 구성된 서버를 선택을 합니다. 정상적으로 선택이 되었으면 Next 버튼을 클릭 합니다.
현재 설정된 값이 표시가 됩니다. 이상이 없으시면 Create 버튼을 클릭 합니다.
Resource pool 생성이 완료 되었습니다. Close 버튼을 클릭 합니다.
이제 Linux 에 모니터링 하는 계정을 설정을 합니다.
Administration ->Run As Configuration -> UNIX/Linux Accounts
를 선택 한 후 오른쪽 액션 바에 있는 Create Run As Account..를
클릭 합니다.
계정 생성 하는 창이 표시가 되면 Monitoring Account 를 선택을 한 후
Next 버튼을 클릭 합니다.
이름에 Linux Monitoring Account 라고 입력 한 후 Next 버튼을 클릭 합니다.
계정 정보엔 Linux 에서 사용 하는 공통 계정을 입력을 합니다.
계정 정보를 입력 후엔 Next 버튼을 클릭 합니다.
Less secure 를 선택 한 후 Create 버튼을 클릭 합니다.
정상 적으로 Account 가 생성 되었으며 다음 스텝에 대해 표시가 됩니다 .Close 버튼을 클릭 합니다.
그리고 UNIX/Linux 프로필에 생성한 모니터링 계정을 넣는 작업을 해야 합니다.
Administration ->Run As Configuration ->Profiles를 선택 하면 “UNIX/Linux Action Account”,
“UNIX/Linux Agent Maintenance Account”, “UNIX/Linux Privileged Account”을 볼 수 있습니다.
*3개에 대해서는 모니터링 계정을 설정을 해야 합니다.
UNIX/Linux Action Account 을 선택 한 후 마우스 오른쪽 버튼을 클릭 하여 Properties 를 선택 합니다.
Properties 창이 뜨면 Run As Accounts 를 선택 한 후 Add.. 버튼을 클릭을 합니다.
계정 추가 창이 뜨면 Run As Account에 생성한 모니터링 계정을 선택 하고 This Run As Account.. 항목에선 All targeted objects 를 선택 한 후
OK 버튼을 클릭 합니다.
정상 적으로 모니터링 계정이 추가가 된 것을 확인 할 수 있습니다.
Save 버튼을 클릭 합니다.
정상 적으로 프로필에 모니터링 계정이 추가가 되었습니다.
나머지 2개에 대해서도 동일한 작업을 진행 하시면 됩니다.
Administration 를 선택 한 후 Discovery Wizard.. 를 클릭을 하게 되면 Agent 를 배포한 컴퓨터를 찾는 창이 표시가 됩니다. 여기서 UNIX/Linux computers 를 선택을 한 후 Next 버튼을 클릭 합니다.
Computer 를 추가 하는 항목이 표시가 됩니다. Add. 버튼을 클릭 한 후
Discovery Scope에 추가 하려는 Linux IP를 입력을 합니다. 그리고 인증 정보를 입력 하기 위하여 Set Credentials.. 를 클릭을 합니다.
Credentials 설정 창이 뜨면 user name and password를 선택 한 후
사용자 정보를 입력 한 후 OK 버튼을 클릭 합니다.
Credentials 설정도 완료가 되었으면 Save 버튼을 클릭 합니다.
방금 입력한 정보가 표시가 됩니다. 정상 적으로 입력이 되었으면 Select target resource pool 에 Unix Linux Monitoring pool을 선택 한 우 Discover 버튼을 클릭 합니다.
검색 중입니다.
Linux 를 정상 적으로 찾았습니다. Agent 설치를 위해 모든 Linux 를 선택 한 후 Manage 버튼을 클릭 합니다.
정상 적으로 Linux 에 Agent 를 배포를 하였습니다. Done 버튼을 클릭 하여 Agent 배포 작업을 완료 합니다.
Monitoring -> UNIX/Linux Computers 를 선택 하여 현재 Agent가 배포된 Linux 목록 확인이 가능 합니다.
Hi again, this is Stephen Mathews and I’m here to talk about how to determine the dominant or primary user of a Windows operating system. This insight can help administrators facilitate direct communication with the affected user when a system needs management, and can even help non-enterprise users, such as a parent questioning which child is using their computer the most.
We’ll consider the different types of login data available, show how to expose it in the various OS instruments, and then use that information to update the system’s Active Directory computer object ‘ManagedBy’ attribute.
This post uses PowerShell Version 5 on Windows 10 to illustrate examples and it references settings that may not exist in legacy OS versions. All code examples are for illustration purposes only and should be thoroughly tested in a non-production environment. This post is intended to be used within a client OS using its built-in capabilities. Additionally, it is written from an Asset Tracking perspective and is not directly addressing Security and/or User Auditing concerns.
What type of information are you after?
Are you looking for the currently logged in user on the console, remotely logged in users, the last logged in user, the dominant user, or a list of all users?
How will the information be used: for real-time troubleshooting, historical reference, or external app consumption?
Will you script a solution, if so where will you output the data? Will the script be run manually or automatically, if automatically will you use a startup or login script, or a scheduled task?
File System
The filesystem can be the quickest and most efficient way to determine the regular users of a system. By expanding the ‘UserProfile’ environmental variable’s parent directory, you can see users that have had a profile created on that machine. You can check these profile directories and see the Created, Accessed, Modified, and Written timestamps for all of the systems’ users.
Unfortunately, this can also be the most misleading. The user profile directories are mapped via a Security Identifier (SID) that is stored in the registry. If a user account’s logon name is changed, they will still map to the original folder name. Also, if a user’s profile is corrupted they may not get a local directory and be redirected to the default profile. Additionally, the timestamps may not be updating depending on your OS version and/or auditing settings for those folders. And finally, you may not have rights to see the folders or their attributes.
Registry
The registry contains all the configurations and settings for the OS. There are multiple locations in the registry to find specific information about the users. User accounts are usually stored as SIDs inside the registry and will need to be converted into account names.
The registry is a sensitive part of the OS and can be corrupted. This risk of corruption leads many organizations to strictly limit and audit registry access. Certain registry settings may change only during startup and/or login, meaning the data may be stale while it’s being queried.
WMI
Windows Management Instrumentation is an infrastructure that exposes the OS to management. You can find current configuration settings, then get and set those properties.
WMI queries can be difficult to construct and may be resource intensive to the point of resource exhaustion. Take precautions to test the retrieving and setting of WMI components in a test environment before using inside production. Access to WMI may be restricted and audited for the same reasons as the registry.
ADSystemInfo
This is an overlooked tool to identify current system Active Directory network settings. The ‘UserName’ property will report the currently logged in user. It requires network connectivity to return settings and there’s no inherent way to run it remotely.
$ADSystemInfo = New-Object -ComObject “ADSystemInfo”
foreach ($ADSystemProp in $ADSystemProps) {
$Value = $ADSystemInfo.GetType().InvokeMember($ADSystemProp, “GetProperty”, $Null, $ADSystemInfo, $Null)
$ADSystemInfo | Add-Member -MemberType NoteProperty -Name $ADSystemProp -Value $Value -Force
}
$ADSystemInfo
Event Logs
Event logs are the record keepers of all activities on the system. As such they are the definitive source for tracking the login process. Logging can be turned on or off per provider and the logging level can be tailored based upon the event type: Critical, Error, Warning, Information, and Verbose. The ‘UserID’ property is typically set to the SID of the account creating the event, this is automatically translated for you in the Event Viewer. If the individual Event Log does not populate the ‘UserID’ property, you can parse the event message text with a SID to find events.
The event log filter can be difficult to configure and a poorly created filter may be resource intensive to the point of resource exhaustion. Access to certain logs may be restricted and not all event logs record the same information in their properties. Furthermore, the logs may be collected into a central repository, making them unavailable or lacking significant detail to make an accurate determination.
In the first example it uses the Group Policy Operational log and groups the events by ‘UserID’, the second example events do not populate the ‘UserID’ property and need the message data to be parsed for matching SIDs; the list of SIDs were defined from the Win32_UserProfiles class.
$WMIUserProfiles = Get-WmiObject -Class Win32_UserProfile
foreach ($WMIUser in $WMIUserProfiles) {
$WMIUser | Add-Member -MemberType NoteProperty -Name Account -Value ((New-Object -TypeName System.Security.Principal.SecurityIdentifier($WMIUser.SID)).Translate([System.Security.Principal.NTAccount])).Value
$WMIUser | Add-Member -MemberType NoteProperty -Name Events -Value ($SecurityEvents | Where-Object {($_.Properties).Value -contains $WMIUser.SID}).Count
$WMIUser | Select-Object -Property Events,Account,SID
}
System Center Configuration Manager
For those of you with SCCM, it does the hard work for you in its Asset Intelligence feature set. Click to read more about the SMS_SystemConsoleUser Client WMI Class that calculates the dominant user for you. Here are a couple of screen shots.
Using the information
In this example, we want to update the Active Directory computer object ‘ManagedBy’ attribute with the dominant user. In order for this to happen we have to edit the default permissions to that attribute in the Organizational Unit where the computer object resides. Step two utilizes a script to perform the update, there are easier ways to do this, however we want to utilize a process that is as intrinsic as possible to the OS.
#Set Filter strings for locating objects in AD
$strComputerFilter = “(&(objectCategory=Computer)(name=” + $env:COMPUTERNAME + “))” #get current computer name from environment variable
$strFilter = “(&(objectCategory=User)(samaccountName=$DomUser))” #username set to $DomUser defined above
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = “Subtree”
#find LDAP path for User
$ADUser = $objSearcher.FindAll()
#create PowerShell ADSI object for User
$ADSIUser=[ADSI]$ADUser.path
#find LDAP path for Computer
$objSearcher.Filter = $strComputerFilter
$computer = $objSearcher.FindAll()
#create PowerShell ADSI object for Computer
$ADComputer=[ADSI]$computer.path
#set attributes on computer AD object
$ADComputer.managedby = $ADSIUser.distinguishedname
#$ADComputer.employeeid = $ADSIUser.employeeID
$ADComputer.setinfo()
In closing, I hope this explains the different types of login information that can be collected, exposes those information locations for you to use, and inspires you to keep track of your assets. A special thanks to Mike Kanofsky who created the script and found the permissions required to update the ‘ManagedBy’ computer object attribute and to Kevin Kasalonis for his SCCM expertise. Thanks for reading!
안녕 하세요 이번 포스팅에서는 System Center Virtual Machine Manager 를 이용 하여 Windows 운영체제 VM 배포 시 언어 및 지역이 기본 값으로 영문 형식으로 지정이 되어한글 버전 OS에도
한글 키보드가 기본 적으로 사용을 못하고 영문 키보드만 사용 할 수 있는 문제를 해결 할 수 있는 방법에 대하여 VM Template 에 PowerShell을 실행 하여 문제 해결이 가능 합니다.
해결 방법 순서:
1. SCVMM 콘솔 실행
2. 라이브러리 -> VM Template 목록
3. PowerShell 또는 PowerShell ISE를 이용 하여 아래 목록에 명령어 실행
PowerShell Script
Import-Module virtualmachinemanager
$template = Get-SCVMtemplate | where {$_.Name -eq “VM Template 이름”}
$settings = $template.UnattendSettings;
$settings.add(“oobeSystem/Microsoft-Windows-International-Core/UserLocale”,”ko-KR”);
$settings.add(“oobeSystem/Microsoft-Windows-International-Core/SystemLocale”,”ko-KR”);
$settings.add(“oobeSystem/Microsoft-Windows-International-Core/UILanguage”,”ko-KR”);
#$settings.add(“oobeSystem/Microsoft-Windows-International-Core/InputLocale”,”0412:00000412″); #Windwos 2012
$settings.add(“oobeSystem/Microsoft-Windows-International-Core/InputLocale”,”0412:E0010412″); #Windows 2008(2003)
#$settings.Remove(“oobeSystem/Microsoft-Windows-International-Core/InputLocale”); 삭제 Sample Script
Set-SCVMTemplate -VMTemplate $template -UnattendSettings $settings
참고:
언어팩 코드 참고
http://technet.microsoft.com/en-us/library/cc766191(v=ws.10).aspx
기본 키보드(한글) 코드 참고
http://technet.microsoft.com/en-us/library/cc766503(v=ws.10).aspx
こんにちは、Office サポートの 西川 です。
Office ファイルにサーバ上の他のファイルやページへのハイパーリンクを挿入したとき、
環境構成によって、これをクリックすると認証ダイアログが表示されたり、正常に開かないというお問い合わせを頂きます。
このような場合に有効な対応方法として、ForceShellExecute というレジストリを設定する方法があります。
この記事では、この ForceShellExecute レジストリの説明を中心に、このような問題が生じたときの対処方法や考慮事項を記載します。
なお、 Office 製品は Word、Excel 、PowerPoint、バージョンは Office 2007 以降を対象としていますが、
今後、動作が変更される可能性があります。
目次
1.レジストリ ForceShellExecute の説明と設定方法
2.レジストリ ForceShellExecute が使用される場面とは?
3.レジストリ ForceShellExecuteを設定する影響について
4.関連情報
レジストリ ForceShellExecute は、Office 製品で開かれたファイルに挿入されたハイパーリンクを開くときの
内部動作を変更するものです。
このレジストリを設定すると、「ファイル名を指定して実行」と同じ、Windows が通常行う方法でリンクを開く動作になります。
設定には、手動でレジストリを設定する方法と、 Fix it ツールを使用する方法があります。
1 – 1 ) 手動でレジストリを設定する方法
レジストリパス :
[64 ビット版の Windows で 32 ビット版の Office をご使用の場合]
HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftOffice9.0CommonInternet
[32 ビット版の Windows で 32 ビット版の Office をご使用の場合]
または
[64 ビット版の Windows で 64 ビット版の Office をご使用の場合]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice9.0CommonInternet
値の名前 :
ForceShellExecute
データの名前 :
DWORD型 (0: 指定しない(デフォルト) 、 1: 指定する)
注: レジストリパスに含まれているバージョン番号 9.0 は、全てのバージョンの Office 製品で共通となります。
また、キーが存在しない場合は手動で作成してください。
1 – 2 ) Fix it ツールを使用する方法
以下のサポート技術情報の Fix it ツールで設定できます。
下記のサポートサイトをご参照の上、[Here’s an easy fix] のセクションから、[Download] ボタンをクリックしていただき、
表示されるウィザードに沿って、レジストリの設定を行ってください。
タイトル : Error message when clicking hyperlink in Office: “Cannot locate the Internet server or proxy server”
アドレス : https://support.microsoft.com/en-us/kb/218153
通常、Office はファイル内のリンクを開くとき、 OS または IE のコンポーネントを用い、そのパスを処理します。
パスを処理する過程では、リンク先のサーバーがどのようなものであり、どのような機能を提供しているかなどを確認します。
このような処理を行う目的として、例えば、リンク先が Webサーバー上に配置された Office ファイルで、
Web サーバーが WebDAV 機能を提供している場合、上記のコンポーネントを使用することで、
Windows が提供している WebDAV ミニリダイレクタ と呼ばれる技術により、内部的にそのパスを UNC 形式のパスへリダイレクトし、
共有編集機能をユーザに提供します。
しかし、プロキシサーバを使用している場合などの特定の条件下では、認証ダイアログが表示されたり、正常に開かないといった問題が発生するため、
Office に上記のコンポーネントを使用してリンク先へアクセスしてほしくない場合が出てきます。
この時、レジストリ ForceShellExecute を 1 に設定すると、この Office 製品の標準の方法ではなく、
「ファイル名を指定して実行」と同じ、Windows が通常行う方法でリンクを開くことができるようになります。
ForceShellExecute レジストリ設定を加えることで生じる制限事項があります。現在確認されている制限事項を以下に列挙します。
a) Office 製品よりハイパーリンクを介してファイルを開く際、ファイル名を指定して開く動作と同一となります。
そのため、Office 製品標準の方法で開かれることを想定されているアドインを使用している場合等に、
挙動に影響を与える可能性があります。
b) Excel 2010 のブックで、別のブックへのハイパーリンクを実行時に、対象のブックが開かない現象があります。
以下のサポート技術情報に記載されている修正プログラムを適用することで解消されます。
タイトル : Excel 2010 ブックにハイパーリンクをクリックするリンクを含むブックが表示されません。(自動翻訳)
アドレス : https://support.microsoft.com/ja-jp/kb/2597992
c) PowerPoint の .ppsx (スライドショー形式ファイル) から、別の .ppsx ファイルを開くリンクをクリック時、リンク元のファイルを閉じるまでリンク先が開かれません。
これは、リンク元のファイルを .pptx (PowerPoint プレゼンテーション形式ファイル)で保存することで、回避することができます。
d) Office 製品よりファイルを起動する際、以下のような警告をうながすダイアログが表示されることがあります。
または
これは、以下のサポート技術情報に記載されている方法で非表示にすることができます。
タイトル : 2007 Office プログラムおよび Office 2010 プログラムでハイパーリンクの警告メッセージを有効または無効にする方法
アドレス : https://support.microsoft.com/ja-jp/kb/925757
e) Excel ブックへのハイパーリンクを実行しファイルを開く際、対象ブックのリンクされているシートに移動しません。
例) 以下のようにハイパーリンクを設定していても、 ファイルを開く際、リンクされているシートに移動しません。
C:UsersPublicDocumentstest.xls#Sheet2!B99
f) Word 文書へのハイパーリンクを実行しファイルを開く際、対象文書のリンクされているブックマークに移動しません。
例) 以下のようにハイパーリンクを設定していても、 ファイルを開く際、リンクされているブックマークに移動しません。
C:UsersPublicDocumentstest.docx#Bookmark
タイトル : ログオン ページやエラー ページにリダイレクトされるか、表示されたら、認証については、Office ドキュメント内の SSO の Web サイトへのハイパーリンクをクリックすると、(自動翻訳)
アドレス : https://support.microsoft.com/ja-jp/kb/899927
タイトル : [OFF2003] Office 2003 で Web サイトからドキュメントを開く方法
アドレス : https://support.microsoft.com/ja-jp/kb/838028
タイトル : WebDAV アクセスするためのコンポーネント (WebClient と MSDAIPP)
アドレス : https://technet.microsoft.com/ja-jp/windows/win7_tips64.aspx
本情報の内容 (添付、リンク先などを含む) は、作成日時点でのものであり、予告なく変更される場合があります。
Yesterday at the Microsoft Worldwide Partner Conference (WPC) in Toronto I was at a breakout session where they discussed the launch timeframe for Windows Server 2016, and now there is a blog post on the Windows Server Blog that includes these details. Below you will find the details they posted, and I’ll include more details of WPC sessions to give an idea of what you should expect as partners, and what you should be thinking about as partners. Before we get to that, I’ll just highlight some of the important things to be aware of. First of all there is the introduction of Long Term Servicing Branch and Current Branch For Business options like what we have already with Windows 10, and you will also see that there are feature/functionality differences between Standard and Datacenter editions, a change from what we’ve had with the 2012 and 2012 R 2 releases.
We are excited to announce the official launch of Windows Server 2016 will be at the Ignite conference this Fall. We hope you can join us in Atlanta for the excitement! Windows Server 2016 is the cloud-ready operating system that delivers new layers of security and Azure-inspired innovation for the applications and infrastructure that power your business. New capabilities will help you:
Technical Preview 5 is our final preview prior to launch and is feature complete, so download it today and try out all the new features in Windows Server 2016. Deploy, manage and secure Windows Server 2016 with the upcoming release of System Center 2016.
Windows Server 2016 editions include:
These editions will be available for purchase on the October 2016 price list. Details on pricing for Windows Server 2016 can be found here.
It’s also important to note that for the Standard and Datacenter editions, there are three installation options:
Announcing servicing guidelines for Windows Server 2016
In prior releases, Windows Server has been serviced and supported with a “5+5” model meaning that there is 5 years of mainstream support and 5 years of extended support and this will continue with Windows Server 2016. Customers who choose to install full Windows Server 2016 with a desktop experience or Server Core will maintain this servicing experience, which will be known as the Long Term Servicing Branch (LTSB).
Customers choosing the Nano Server installation will opt into a more active servicing model similar to the experience with Windows 10. Specifically, these periodic releases are known as Current Branch for Business (CBB) releases. This approach supports customers who are moving at a “cloud cadence” of rapid development lifecycles and wish to innovate more quickly. Since this type of servicing continues to provide new features and functionality, Software Assurance is also required to deploy and operate Nano Server in production.
| Installation Option | LTSB servicing model | CBB servicing model |
| Server with Desktop Experience | Yes | No |
| Server Core | Yes | No |
| Nano Server | No | Yes |
Our goal is to provide feature updates approximately two or three times per year for Nano Server. The model will be similar to the Windows client servicing model, but we expect it to have some differences. While we share the same goal of delivering new and valuable technology to our customers rapidly, we understand that a server operating environment has unique requirements.
For example, while it will be necessary to stay current with new versions as they come out, the new versions will not auto-update a server. Instead, a manual installation will be performed by the admin when they choose. Because Nano Server will be updated on a more frequent basis, customers can be no more than two Nano Server CBB releases behind. Only two CBB releases will be serviced at any given time, therefore when the third Nano Server release comes out, you will need to move off of #1 as it will no longer be serviced. When #4 comes out, you will need to move off of #2, and so on.
Windows Server 2016 meets businesses and organizations where they are today, and introduces the innovation needed for the transition to cloud computing when ready. This release puts the power of choice in the hands of our customers, making Windows Server 2016 the perfect stepping stone to the cloud. We hope you join us for the launch at Ignite, and as always, we look forward to your feedback and suggestions as we continue to innovate in Windows Server.
