NZ DSE

PowerShell Script: Extract Operations Manager Severity & Priority Information

JVosloo — Sun, 11 Dec 2011 04:01:20 GMT

MPViewer v1.7 returns no rule severity/priority data for the System Center Configuration Manager Management Pack version 6.0.6000.3 (27/9/2011).
This script can be used to extract that information.

        1: #requires -version 2

       2: <#

       3: author:              Johan Vosloo

       4: date:                3/11/2011

       5: info:                Must be executed from within the Operations Manager shell

       6: severity/alertlevel: http://msdn.microsoft.com/en-us/library/ms813440.aspx

       7: #>

       8: $error.clear()

       9: trap [System.Management.Automation.CommandNotFoundException] {"Command entered does not exist. Please ensure that you are running this script from within the System Center Operations Manager Shell.";continue} trap {"Errors were found.";continue}

if ($error){return} else

{

    #MP

    $configmp=get-managementpack -Name Microsoft.SystemCenter.ConfigurationManager.2007

    #Rules

    $ruleinfo=@()

    $configmp_rules=$configmp.getrules()

    $configmp_enabledrules=$configmp_rules | ?{$_.enabled -eq "true"}

    foreach($configmp_enabledrule in $configmp_enabledrules)

        {

            foreach ($WriteAction in $configmp_enabledrule.WriteActionCollection)

                {

                $config=$writeaction.configuration

                if ($config.contains("<GenerateAlert>true")){

                $config -match "</Description><AlertLevel>(?<content>.*)</AlertLevel><ResolutionState/><Source>" | out-null

                switch ($matches['content'])

                {

                    {$_ -le 20} {$alertlevel="Information";break}

                    {$_ -le 40} {$alertlevel="Warning";break}

                    {$_ -le 70} {$alertlevel="Critical";break}

                }

                }    

                }

            $ruletmpobj=New-Object -Typename psobject –property @{displayname=$configmp_enabledrule.displayname;priority=$configmp_enabledrule.priority;severity=$alertlevel}

            $ruleinfo+=$ruletmpobj

        }

           $ruleinfo | export-csv $home\Desktop\info.csv -notypeinformation

           write-host "Rule data was extracted to $home\Desktop\info.csv" -ForegroundColor green

}

Requirements:

System Center Operations Manager 2007 R2 (tested with CU4)
System Center Operations Manager 2007 R2 command shell
System Center Operations Manager 2007 R2 Administrator Privileges

PowerShell Script: Retrieve Specific Event ID’s From Event Log On Multiple Computers

JVosloo — Sun, 11 Dec 2011 02:59:14 GMT

This script was put together very quickly to accomplish the objective stated in the title.

        1: #requires -version 2.0

       2: <#

       3: author: Johan Vosloo

       4: date: 24/11/2011

       5: purpose: Retrieve event id’s from multiple machines and add to a CSV file.

       6: #>

       7: Try

       8:     {

       9:     $servers=get-content c:\scripts\servers.txt

    $date=(Get-Date).AddDays(-7)

    foreach ($server in $servers)

        {

        if (test-connection $server -quiet)

            {

            $arr1+=get-eventlog -logname system -cn $server -after $date | ?{$_.eventid -eq "21" -or $_.eventid -eq "4201"} | select MachineName,EventID,EntryType,Message

            $arr2+=get-eventlog -logname application -cn $server -after $date | ?{$_.eventid -eq "902" -or $_.eventid -eq "1003"} | select MachineName,EventID,EntryType,Message

            $arr3+=get-eventlog -logname "windows powershell" -cn $server -after $date | ?{$_.eventid -eq "4004"} | select MachineName,EventID,EntryType,Message

            }

        }

        if ($arr1)

            {$arr1 | export-csv c:\scripts\sysoutput.csv -notypeinformation}

        else

            {"No matching system log events found..."}

        if ($arr2)

            {$arr2 | export-csv c:\scripts\appoutput.csv -notypeinformation}

        else

            {"No matching application log events found..."}

        if ($arr3)

            {$arr3 | export-csv c:\scripts\psoutput.csv -notypeinformation}

        else

            {"No matching powershell log events found..."}

    }

Catch

    {

    "An error occurred"

    }

Requirements:

PowerShell v2.0
A servers.txt file in a c:\scripts folder

Creating a Performance Baseline for SQL Server with System Center Operations Manager 2007 R2

JVosloo — Fri, 11 Feb 2011 12:09:00 GMT

Time for a Friday night post. Microsoft PFE raise the absence of system performance baselines pretty much in every Risk Assessment Program (RAP) or Health Check. Customers do not generally create performance baselines.

So, what are the typical uses for a performance baseline? Troubleshooting performance-related issues and facilitating capacity management comes to mind. “Hey, doesn’t Opsmgr have that information by default?” I hear you say. Opsmgr does indeed have some of it, but the performance information, for SQL Server at least, is not complete and only available for 7 days in the OperationsManager database and 10 days in the OperationsManagerDW database (with a default data retention configuration). We need to track performance baselines for systems over a much longer period.

Okay, so what is the plan (and make that step-by-step please)?

Create a super-thorough WinWord template for a SQL Server (+ underlying Windows OS) Performance Baseline, so we know what performance counters, etc will be required – see attached docx.
List all current Opsmgr performance counter collections. The following PowerShell script can be used to do this:
```
Get-PerformanceCounter | Export-Csv $env:HOMEDRIVE\All_Hosts_All_PerfCounters.csv -NoTypeInformation
```

Compare the template created in 1 above with the list created in 2 above. Identify performance collections not done by Opsmgr at present. Note: v6.1.314.35 (July 2010) of the SQL Management Pack and v6.0.6667.0 (September 2009) of the Base OS Management Pack are installed in my lab (yep, my OS MP upgrade release schedule for my personal lab is shocking, in terms of current priorities, it comes right after watching Outrageous Fortune, the V TV Series, analysing the skies for noticeable changes to the ozone layer and about a thousand other things). In my lab, this is the list of performance counters that are not collected:

Object Name	Counter Name
Memory	Pages Input/Sec
Memory	Free System Page Table Entries
Paging file	%Usage Peak
Process (sqlservr)	%Processor Time
Process (msmdsrv)	%Processor Time
SQLServer:Access Methods	Forwarded Records/sec
SQLServer:Access Methods	Full Scans / sec
SQLServer:Access Methods	Index Searches/sec
SQLServer:Access Methods	Page Splits/sec
SQLServer:Access Methods	Workfiles Created/sec
SQLServer:Access Methods	Worktables From Cache Ratio
SQLServer:Access Methods	Table Lock Escalations/sec
SQLServer:Transactions	Longest Running Transaction Time
SQLServer:Memory Manager	Granted Workspace Memory (KB)
SQLServer:Memory Manager	Maximum Workspace Memory (KB)
SQLServer:Memory Manager	Memory Grants Outstanding
SQLServer:Memory Manager	Memory Grants Pending
SQLServer:Memory Manager	Total Server Memory (KB)
SQLServer:Memory Manager	Target Server Memory (KB)
SQLServer:Databases	Data File(s) Size (KB)
SQLServer:Databases	Log Bytes Flushed/sec
SQLServer:Databases	Log File(s) Size (KB)
SQLServer:Databases	Log File(s) Used Size (KB)
SQLServer:Databases	Log Flush Wait Time
SQLServer:Databases	Log Flush Waits/sec
SQLServer:Databases	Log Flushes/sec
SQLServer:Databases	Log Growths
SQLServer:Databases	Log Shrinks
SQLServer:Databases	Log Truncations
SQLServer:Databases	Percent Log Used
SQLServer:Buffer Manager	Free List Stalls/sec
SQLServer:Buffer Manager	Lazy Writes/Sec
SQLServer:Buffer Manager	Checkpoint Pages/sec
SQLServer:Buffer Manager	Page Life Expectancy
SQLServer:Buffer Manager	Page Lookups/sec
SQLServer:Buffer Manager	Page Reads/sec
SQLServer:Buffer Manager	Page Writes/sec
SQLServer:Buffer Manager	Readahead/sec
SQLServer:Buffer Manager	Database Pages
SQLServer:Buffer Manager	Procedure Cache Pages
SQL Server:Buffer Manager	Target Pages
SQL Server:Buffer Manager	Free Pages
SQL Server:Buffer Manager	Stolen Pages/sec
SQL Server:SQL Statistics	Batch requests/sec
SQL Server:SQL Statistics	SQL Attention Rate/sec
SQL Server:Cursor Manager by Type	Active Cursors
SQL Server:SQL Errors	Errors/sec
SQL Server:Deprecated Features	Usage
SQL Server:General Statistics	Logouts/sec
SQL Server:Latches	Latch Waits/sec
SQL Server:Latches	Avg Latch Wait Time (ms)
SQL Server:Latches	Total Latch Wait Time (ms)
SQL Server:Locks	Lock Wait Time (ms)
SQL Server:Locks	Avg Wait Time (ms)

Create custom windows performance collection rules in Opsmgr for the missing performance counters (i.e. those above). Note: There are obvious best practices that should be followed to make sure that you don’t blow-up, destroy or cripple your Opsmgr or SQL Server systems (or at least create a semblance of following good practice)…e.g. deploy in your test environment first (yep, soooo many of us have them for Opsmgr, right?), choose a sensible performance collection sample frequency (tip, every 1 sec is not it), calculate the additional storage requirements in the OperationsManager and OperationsManagerDW databases, enable the new rules for a limited number of target instances to start with, etc.

Okay, now use PowerShell to export raw data for all of the performance counters in the attached file. The script below will export ‘SQL Re-Compilations/sec’ counter data for all ‘Microsoft.SQLServer.2008.DBEngine’ discovered instances.

Get-MonitoringClass -Name "Microsoft.SQLServer.2008.DBEngine" | Get-MonitoringObject | % `

{$aaa=$_.Id;$bbb=$_.PathName;Get-PerformanceCounter | ? {$_.MonitoringObjectId -eq $aaa -and $_.ObjectName -eq "SQLSERVER:SQL Statistics" -and $_.CounterName -eq "SQL Re-Compilations/sec"} | Get-PerformanceCounterValue -StartTime ((get-date).adddays(-7)) -EndTime (get-date) | Select TimeSampled,SampleValue | Export-Csv -NoTypeInformation $env:HOMEDRIVE\$bbb.csv};

Manually edit the script above for all desired counters……I know, I know…it is real easy to automate that <sigh>…The PowerShell script below will get the raw performance data only for relevant Objects and Counters specified in a CSV file:

Import-Csv c:\JVTools\SQL.csv | % `

{$Counter=$_.Counter;$Object=$_.Object;Get-MonitoringClass -Name "Microsoft.SQLServer.2008.DBEngine" | Get-MonitoringObject | % `

{$aaa=$_.Id;$bbb=$_.PathName;$Object;$Counter;$count++;$CounterStr=$Counter-replace("/"," per ");$ObjectStr=$Object-replace(":","-");Get-PerformanceCounter | ? {$_.MonitoringObjectId -eq $aaa -and $_.ObjectName -eq $Object -and $_.CounterName -eq $Counter} | Get-PerformanceCounterValue -StartTime ((get-date).adddays(-7)) -EndTime (get-date) | Select TimeSampled,SampleValue | Export-Csv -NoTypeInformation $env:HOMEDRIVE\$Count$ObjectStr$CounterStr$bbb.csv}};

Note: The CSV format is simply: Object,Counter. Use at least two different CSV's for the OS and SQL Server and replace "Microsoft.SQLServer.2008.DBEngine" with "Microsoft.Windows.OperatingSystem" (or a class more relevant to your scenario like "Microsoft.Windows.LogicalDisk") and the pointer to the CSV in the above script for the OS performance data collection.

Finally, manually crunch the data in Excel and complete the attached WinWord template…<sigh> or use the Measure-Object (not Measure-Command) in PowerShell to create the 7 day averages where required. Now at least manually fill out the WinWord template and create the baseline graphs-over-time…<sigh> or use PowerShell to do that as well . A post for another day perhaps?
Repeat this baseline creation every 3 or so months (depending on how dynamic and/or important your system is), before and after major changes like service packs, etc. Use it for troubleshooting, load balancing, fighting off business and application owners that want to overload your system and to help in getting that next salary increase when your boss asks you for a list of proactive things you have done lately.

I know that this data can also be retrieved from the OperationsManagerDW database in SQL (the OperationsManager database is not a good idea from an Opsmgr performance perspective...as the SQL guy, you may have the pesky Opsmgr Admin on your case with his own pesky Opsmgr performance baseline indicating that system stats degraded since you started fiddling) and I also know that a custom Opsmgr report to replace the WinWord template is very possible. That is a post for another time, this time the focus was on using PowerShell. I am also aware that this view is largely server-centric and that a more holistic end-to-end service performance baseline would be a useful thing...hmm Opsmgr does include features for creating Distributed Applications...wonder if I can target that with the MonitoringObject?

Have fun!

Johan

PowerShell Script: Bulk move Mailboxes using a CSV Input File (HMC 4.0)

JVosloo — Fri, 14 Jan 2011 05:25:32 GMT

This script can be used to move mailboxes, specified within a CSV input file, between mailbox servers. It will also update the MPS Resource Manager database.

     # Author: Johan Vosloo

    # Date: 12/10/2009

    # Purpose: Bulk move mailboxes from a CSV input file.

    # Disclaimer: This script is provided as-is without any support. The script was tested against HMC 4.0, Exchange Server 2007 SP1 and Powershell 1.0. Please test in a test environment prior to production use.      

    # Process:      

    # 1. Use the Exchange Management Shell to get the source server name with Get-ExchangeServer | Select Name      

    # 2. Use the Exchange Management Shell to populate the input CSV file with Get-MailboxDatabase | where {$_.ServerName.Contains("sourceservername") -eq "true"} | Get-Mailbox | Select Alias,Database | Export-Csv C:\Temp\MbxsToBeMoved.csv –NoTypeInformation      

    # 3. Change ‘Database’ field header to ‘TargetDB’      

    # 4. Modify database/targetdb field entries as required in the CSV     

    # 5. Change preferredDomainController in mailbox move script     

    # 6. Run mailbox move script:     

    # CSV Example:     

    # Alias,TargetDB     

    # bloggsj,mytargetservername 

    $path = "C:\jv\MoveMailbox\MbxsToBeMoved.csv";

    Write-Host;

    Write-Host "*******************";

    Write-Host "Move Mailbox Script" -Foregroundcolor Blue -Backgroundcolor White;

    Write-Host "*******************";

    Write-Host;

    Write-Host "A CSV is required (i.e. $path)"

    $Ver1 = Read-Host "CONTINUE script execution? [Y] to continue or [ANY OTHER KEY] to exit"

      if ($Ver1 -ne "Y")

      {exit;

      } 

    Write-Host; 

    Write-Host "Valid entries in CSV:" -Foregroundcolor Blue -Backgroundcolor White;

    # Note: Checks are not performed to avoid scenarios where sourcedb = targetdb in this version of the script. This is the administrators responsibility.

    Write-Host;

    Write-Host "Alias,TargetDB";

    Import-csv -path $path | 

    foreach `

    { 

                   $TDBs = Get-MailboxDatabase $_.TargetDB -ErrorVariable MyError -ErrorAction SilentlyContinue;

    # Note: Checks are not performed to avoid scenarios where the Alias is invalid in this version of the script. This is the administrators responsibility.

        $A = $_.Alias

                   Write-Host "$A,$TDBS";

    }

    If ($MyError -ne $null)`

    { 

                   Write-Host;

        Write-Host "*******";

                   Write-Host "Error" -Foregroundcolor Red -Backgroundcolor White;

        Write-Host "*******";

        Write-Host "Invalid TargetDB in CSV. Script terminating..." -Foregroundcolor Blue -Backgroundcolor White;

        Write-Host "Error Description:" -Foregroundcolor Blue -Backgroundcolor White;

        $MyError;

        Write-Host;

                   exit;

    } 

    $Ver2 = Read-Host "CONTINUE moving ALL mailboxes in CSV? [Y] to continue or [ANY OTHER KEY] to exit"

      if ($Ver2 -ne "Y")

      {exit;

      }

    Function SendMPSRequest([string]$xmlRequestStr)

    {

      $oMpf = new-object -comobject "Provisioning.ProvEngineClient"

      $xmlResponseStr = $oMPF.SubmitTrustedRequest($xmlRequest.get_InnerXml());

      $xmlResponse = new-object "System.Xml.XmlDocument";

      $xmlResponse.LoadXml($xmlResponseStr);

      $xmlResponse;

    }

    [string]$xmlRequestStr = @"

    <?xml version="1.0" encoding="utf-8"?>

    <request>

      <data>

        <preferredDomainController>ad01.fabrikam.com</preferredDomainController>

        <user>CSVPopulated</user>

        <targetDatabase>CSVPopulated</targetDatabase>

      </data>

      <procedure>

        <execute namespace="Hosted Email 2007" procedure="MoveMailbox" impersonate="1">

          <before source="data" destination="executeData" mode="merge" />

          <after source="executeData" destination="data" mode="merge" />

        </execute>

      </procedure>

    </request>

    "@

    [string]$excXmlStr = @"

    <?xml version="1.0" encoding="utf-8"?>

    "@

    Write-Host

    Write-Host "Starting procedure..." -Foregroundcolor Blue -Backgroundcolor White;

    Write-Host

    $CSV = Import-csv -path $path

    Foreach ($line in $CSV)`

      {

        $mailbox = Get-Mailbox $line.Alias | Select Alias, DistinguishedName; 

        $userName = $mailbox.Alias;

        $userDN = $mailbox.DistinguishedName;

        $TDB = $line.TargetDB

        Write-Host "Moving $userName to $TDB..." -ForegroundColor White

        Write-Host 

        $xmlRequest = new-object "System.Xml.XmlDocument";

        $xmlRequest.LoadXml($xmlRequestStr);  

        $xmlRequest.request.data.user = "LDAP://" + $userDN;

        $xmlRequest.request.data.targetDatabase = $TDB;

        $xmlResponse = $null;

        $xmlResponse = SendMPSRequest($xmlRequestStr.ToString());

            if ($xmlResponse.Response.Data.User -ne $null)`

            {

                $MPSUser = New-Object System.Object;

                $MPSUser | Add-Member -Type NoteProperty -Name "DistinguishedName" -Value $userDN;

                $MPSUser | Add-Member -Type NoteProperty -Name "User" -Value $xmlResponse.Response.Data.user;

                $MPSUser | Add-Member -Type NoteProperty -Name "TargetDB" -Value $xmlResponse.Response.Data.targetDatabase;

                $MPSUser | FL;

            }

      }            

    Write-Host;

    Write-Host "********************************************************************************************************************************************************************************************";

    Write-Host "Script execution complete. In pre-HMC4.0 Hosted Exchange Update Rollup 5 environments, please remember to run the Managed Email 2007::RepairExchangeObject procedure on all mailboxes moved." -Foregroundcolor Blue -Backgroundcolor White;

    Write-Host "********************************************************************************************************************************************************************************************";

    Write-Host;

Best lessons learnt while moving part of my LAB from Virtual Server 2005 R2 to Windows Server 2008 R2 Hyper-V

JVosloo — Mon, 07 Jun 2010 23:14:00 GMT

Issue: Laptop Wireless NIC is not available by default to VM’s in Hyper-V :-(

Solution:

In Hyper-V Virtual Network Manager, create a new ‘Internal Only’ NIC e.g. Virtual Wireless Network
In Windows Server 2008 R2 Network Connections, create a bridge between the Wireless Network Connection and the Virtual Wireless Network.
Add a NIC and connect it to the Virtual Wireless Network for a VM in its Settings

Issue: Migrating VM’s from Virtual Server to Hyper-V result in no mouse integration, no network adapter and a ‘VMBus’ device that cannot be installed (i.e. Yellow exclamation mark in Device Manager) :-(

Solution:

Uninstall old virtual server integration components
Restart VM
Install new Hyper-V integration services
Run msconfig.exe, Boot, Advanced Options, Detect HAL, Enable
Restart VM
Run msconfig.exe, Boot, Advanced Options, Detect HAL, Disable
Restart VM

Installing Forefront Threat Management Gateway (New ISA) in my System Center Operations Manager Lab

JVosloo — Mon, 07 Jun 2010 23:13:00 GMT

(Simple high-level step-by-step for the admin that does not require screenshots. The process below is probably useful for building a lab, production deployments would require little more planning.)

Basic Info

TMG is basically an Outbound Proxy.

UAG is basically an Inbound Proxy.

TMG consists of 3 roles:

TMG Server (x64)
Enterprise Management Server (x64) – i.e. The old Configuration Storage Server (CSS)
Management Console (x86/x64)

E-mail protection must be installed separately. It is not installed by default!

High-level Forefront TMG Deployment Steps

Run the Forefront Threat Management Gateway 2010 Capacity Planning Tool
Review workgroup and domain considerations
Review System requirements for Forefront TMG
Install Operating System (Windows Server 2008 R2)
Join Domain (or leave in Workgroup)
Run Windows Update
Activate Windows
Configure NIC’s
- Private
- Public
Install Forefront TMG
- Run Preparation Tool (requires internet access)
- Restart Computer
- Run Installation Wizard
Configure TMG
- Allow Web Access (HTTP/HTTPs)

Install the Microsoft Forefront Threat Management Gateway (TMG) 2010 Management Pack for Operations Manager 2007

Review the Management Pack Guide
Install/Configure MP pre-requisites
- Enable manual Agent Installation in the Operations Console
- Create Access Rule in the TMG Management Console
- Manually install the Agent on the TMG Server
- Manually apply the latest CU to the Agent on the TMG Server
Import MP

Audit Alert Scenarios: System Center Operations Manager (OpsMgr) 2007 R2

JVosloo — Tue, 10 Nov 2009 04:33:00 GMT

The other day I was asked to assist with implementing the scenarios below:

Scenario 1: Alert for changes to the ‘Domain Admin’ group membership
Scenario 2: Alert when the Audit Policy is changed (Default Domain or Domain Controller)
Scenario 3: Alert when xx number of unsuccessful logons occur within nn hours
Scenario 4: Account locked out x number of times in a 24 hour period

I’ve decided to blog about it as I am likely to need it again in the future and it may help someone else as well!

Scenario 1: Alert for changes to the ‘Domain Admin’ group membership

Prerequisites

OpsMgr agent installed on domain controllers (more info...)
Notification Channel, Subscriber & Subscription configured (more info...)
Enable ‘Audit Account Management’ for the ‘Default Domain Controllers Policy’ (more info... and how to)

Step-by-Step

Create an ‘Alert Generating Rule’ as below:
(more info... and how to)

Note: Rules are used here instead of monitors as monitors will affect Parent Monitors while rules will not.

Operations Console > Authoring > Rules > Create a new rule Note Create a new destination management pack if required. Next
Select > ‘Windows Domain Controller’ Note Un-tick the ‘Rule is enabled’ checkbox. Next
Select Security as the log name. Next
Configure the event expression as depicted in the image. Next	We will use the following event id’s in this section: 632 – A member was added to a global group. 633 – A member was removed from a global group. Note there are two ways to do this: Use Parameter 3 in screenshot above (more info here and here) or; ‘Use parameter name not specified above’ and ‘EventDescription’. Method 1 is preferred.
Change the severity and priority settings as required. Create
	Next steps: Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...) Create a notification subscription for the rule. (more info...)

Alert example

Scenario 2: Alert when the Audit Policy is changed (Default Domain or Domain Controller)

Prerequisites

OpsMgr agent installed on domain controllers (more info...)
Notification Channel, Subscriber & Subscription configured (more info...)
Enable ‘Audit Policy Change’ for ‘Default Domain Policy’ (more info... and how to)

Step-by-Step

Create an ‘Alert Generating Rule’ as below:
(more info... and how to)

Operations Console > Authoring > Rules > Create a new rule Note Create a new destination management pack if required. Next
Select > ‘Windows Domain Controller’ Note Un-tick the ‘Rule is enabled’ checkbox. Next
Select Security as the log name. Next
Configure the event expression as depicted in the image. Next	We will use the following event id in this section: 612 – An audit policy was changed.
Change the severity and priority settings as required. Create
	Next steps: Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...) Create a notification subscription for the rule. (more info...)

Alert example

Scenario 3: Alert when xx number of unsuccessful logons occur within nn hours

Disclaimer: This is a complex scenario and I am not sure that my proposed solution is the simplest...it works though! :-)

The following is relatively easy to do though:

· Create an alert for each Unsuccessful Logon.

· Create an alert for each Unsuccessful Logon for a specific user.

· Create one suppressed alert (i.e. repeat count is increased) for all Unsuccessful Logons.

· Create one suppressed alert per user account that attempted an unsuccessful logon. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx. I documented only this scenario below.

Prerequisites

OpsMgr agent installed on domain controllers (more info...)
Notification Channel, Subscriber & Subscription configured (more info...) – not strictly speaking necessary for the proposed solution.
Enable ‘Audit Account Logon Events’ for ‘Default Domain Controller Policy’ (more info... and how to)

Step-By-Step

(Create one suppressed alert per user account that attempted an unsuccessful logon. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx.)

Create an ‘Alert Generating Rule’ as below:
(more info... and how to)

Operations Console > Authoring > Rules > Create a new rule Note Create a new destination management pack if required. Next
Select > ‘Windows Domain Controller’ Note Un-tick the ‘Rule is enabled’ checkbox. Next
Select Security as the log name. Next
Configure the event expression as depicted in the image. Next	We will use the following event id in this section: 675 - Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
Change the severity and priority settings as required. Alert Suppression
Configure the alert suppression fields as depicted in the image. Ok
Create
	Next steps: Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)

Alert example

Create a rule to resolve all unsuccessful logon alerts on a daily basis

Operations Console > Authoring > Rules > Create a new rule Note Create a new destination management pack if required. Next
Select > ‘Root Management Server’ as the rule target. Note Un-tick the ‘Rule is enabled’ checkbox. Next
Define the schedule as required.
Create a directory on the root management server i.e. c:\scripts > Save the following powershell script in the directory. Note Change the script as required i.e. path to OpsMgr startup.ps1 and rule name.	# ResolveUL.ps1 # Author: Johan Vosloo # Date: 29-10-2009 # Note: The name i.e. "Custom Rule - Count Unsuccessful Logons" below must match the rule name that is used to create the surpressed alert. # Script requires Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1 to be in "c:\Program Files\System Center Operations Manager 2007" - Change as required. add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; Set-Location "c:\Program Files\System Center Operations Manager 2007"; .\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1; get-alert \| where {($_.Name -eq "Custom Rule - Count Unsuccessful Logons") -and ($_.ResolutionState -eq "0")} \| resolve-alert -comment "CLOSE daily informational alerts" \| out-Null;
Configure command line execution settings as depicted in the image. Create
	Next steps: Enable newly created rule for ‘all objects of class: Root Management Server’ by using an override. (more info...)

Create a rule to send notification when alert ‘RepeatCount’ equal xx within nn hours

Operations Console > Authoring > Rules > Create a new rule Note Create a new destination management pack if required. Next
Select > ‘Root Management Server’ as the rule target. Note Un-tick the ‘Rule is enabled’ checkbox. Next
Define the schedule as required.
Create a directory on the root management server i.e. c:\scripts > Save the following powershell script in the directory. Note Change the script as required i.e. path to OpsMgr startup.ps1 and rule name.	# NotifyULogon.ps1 # Author: Johan Vosloo # Date: 29-10-2009 # Credit: Adapted from http://contoso.se/blog/?p=290 # Script requires Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1 to be in "c:\Program Files\System Center Operations Manager 2007" - Change as required. # Change the Notification Recipient below. $Recipient = security@paris.com; add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; Set-Location "c:\Program Files\System Center Operations Manager 2007"; .\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1; # The name i.e. "Custom Rule - Count Unsuccessful Logons" below must match the rule name that is used to create the surpressed alert. $alertdata = get-alert \| where {($_.Name -eq "Custom Rule - Count Unsuccessful Logons") -and ($_.ResolutionState -eq "0") -and ($_.RepeatCount -gt "3") -and ($_.CustomField1 -lt 0)} \| Foreach { $_.Id; $alert_id = $_.Id; $alert_name = $_.Name; $alert_TimeRaised = $_.TimeRaised; $alert_Desc = $_.Description; $alert_RepeatCount = $_.RepeatCount; $alert_Severity = $_.Severity; $alert_priority = $_.Priority; $alert_MonitoringObjectDisplayName = $_.MonitoringObjectDisplayName; If ($alert_RepeatCount -gt 3) { # Send Email If ($alert_ID -eq $NULL) {"Alert ID is NULL, dont send e-mail";} ELSEIF ($recipient -eq $NULL) {"Recipient is NULL, dont send e-mail";} ELSE { # Change the from address and the mailserver below $smtpServer = "mailserver.paris.com"; $smtpClient = new-object system.net.mail.smtpClient($smtpServer); $From = notification@paris.com; $To = $recipient; $Title = "Notification from Ops Mgr. $alert_name $alert_Severity"; $Body = @" Notification from Operations Manager 2007 RepeatCount: $alert_RepeatCount Raised: $alert_TimeRaised Name: $alert_name Object: $alert_MonitoringObjectDisplayName Priority: $alert_Priority Severity: $alert_Severity Description: $alert_description "@ $SmtpClient.Send($From,$To,$Title,$Body); # Update Custom Field 1 on the alert. Else the script will send multiple e-mails for the same alert $alert = Get-Alert \| where {$_.Id -eq $Alert_ID}; $alert.Customfield1 = "Ops Mgr has sent e-mail to $recipient"; $alert.Update(""); }; }; };
Configure command line execution settings as depicted in the image. Create
	Next steps: Enable newly created rule for ‘all objects of class: Root Management Server’ by using an override. (more info...)

Scenario 4: Account locked out x number of times in a 24 hour period

Disclaimer: This is another complex scenario and I am again not sure that my proposed solution is the simplest...it works though! J

Prerequisites

OpsMgr agent installed on domain controllers (more info...)
Notification Channel, Subscriber & Subscription configured (more info...)
Enable ‘Audit Account Management’ for the ‘Default Domain Controllers Policy’ (more info... and how to)

Step-By-Step

(Create one suppressed alert per locked out user account. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx.)

Create an ‘Alert Generating Rule’ as below:
(more info... and how to)

Operations Console > Authoring > Rules > Create a new rule Note Create a new destination management pack if required. Next
Select > ‘Windows Domain Controller’ Note Un-tick the ‘Rule is enabled’ checkbox. Next
Select Security as the log name. Next
Configure the event expression as depicted in the image. Next	We will use the following event id in this section: 644 - A user account was auto locked.
Change the severity and priority settings as required. Alert Suppression
Configure the alert suppression fields as depicted in the image. Ok
Create
	Next steps: Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...) Repeat ‘Create a rule to resolve all Unsuccessful Logon Alerts on a daily basis’ section in scenario 3 above. Repeat ‘Create a rule to send notification when RepeatCount equal xx within nn hours’ in scenario 3 above.

Audit Report Scenarios: How to create custom reports with System Center Operations Manager 2007 R2 and Audit Collection Services (ACS)

JVosloo — Fri, 06 Nov 2009 05:05:00 GMT

Scenarios that are discussed in this blog post include:

Scenario 1: Computers joined to the domain (names and description)
Scenario 2: User passwords expired
Scenario 3: User accounts locked out
Scenario 4: Group policy changes

Scenario 1: Computers joined to the domain (names and description)

The following Event Id’s will be used in this procedure:

645 - A computer account was created.

646 - A computer account was changed.

647 - A computer account was deleted.

Note: Computer description cannot be reported on as it is not a parameter of the events.

Computer Accounts Created

Step1 Operations Console > Reporting > Audit Reports > Design a new report
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section
Step 3 Rename fields
Step 4 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements
Step 5 Right click inside the ‘Computer’ field > Edit Formula > Enter the formula as indicated in the image
Step 6 Select Filter from the toolbar. Add Event Id and select 645 Note Event Id 645 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.
Report example

Computer Accounts Deleted

Save the report created above as a different name, change the title and simply change the event id in step 6 above to 647 to report on deleted computer accounts.

Report example

Computer Accounts Changed

Step1 Operations Console > Reporting > Audit Reports > Design a new report
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements
Step 4 Right click inside the ‘Action’ field > Edit Formula > Enter the formula as indicated in the image
Step 5 Select Filter from the toolbar. Add Event Id and equals 647. Also add String 06 and not equal to - Note Event Id 647 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.
Report example

Scenario 2: User passwords expired

Event Id 535 (Logon failure. The password for the specified account has expired) will be used in this procedure.

Step1 Operations Console > Reporting > Audit Reports > Design a new report
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements
Step 4 Select Filter from the toolbar. Add Event Id and equals 535. Also add String 06 and not equal to - Note Event Id 535 will not be available if Audit logon events is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or there were no logon attempts by users with expired passwords.
Report example

Scenario 3: User accounts locked out

Event Id 644 (A user account was auto locked) will be used in this procedure.

Step1 Operations Console > Reporting > Audit Reports > Design a new report
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements
Step 4 Select Filter from the toolbar. Add Event Id and equals 644. Note Event Id 644 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or if the Account Lockout Policy is not configured with a threshold for logon attempts.
Report example

Scenario 4: Group policy changes

Event Id 566 (A generic object operation took place) will be used in this procedure.

Step1 Operations Console > Reporting > Audit Reports > Design a new report
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements
Step 4 Select Filter from the toolbar. Add Event Id and equals 566. Also add String 01 contains groupPolicyContainer Note Event Id 566 will not be available if Audit Directory Service Access is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.
Step 5 Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image
Step 6 Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image
Report example	Note: I added a text box with the KB URL to convert GPO GUID’s to GPO names.

Quick Tip: How to run an ACS Forwarder, Collector, RMS and DC on the same host

JVosloo — Thu, 05 Nov 2009 23:38:00 GMT

Manually enable the ‘Operations Manager Audit Forwarding Service’ (AdtAgent.exe).
Regedit > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AdtAgent\Parameters] > New > Multi-String Value > AdtServers > ‘CollectorFQDN’

Note: Step 2 resolved Event ID 4369 (with a blank list of collectors) for me.

Hopefully this configuration of roles will only ever be used in a lab environment!

Script: Bulk approve WSUS updates from CSV input file

JVosloo — Thu, 15 Oct 2009 23:39:00 GMT

Hope this script will help someone out there!

# Script

# Author: Johan Vosloo
# Date: 16-10-2009
# Purpose: Bulk approve updates by specifying the UpdateID, WSUS Group Name and a Computer Name (any computer that is a member of the applicable group).
# Disclaimer: This script is provided as-is without any support. Script was tested on WSUS 3.0 SP1 and using Powershell 1.0. Please test in a test environment before production use.
# Credit: Adapted from http://gallery.technet.microsoft.com/ScriptCenter/en-us/e3b33372-1e7f-41ea-ad83-ecc10ba5f0f6
# CSV Example:
## updateID,grp,cName
## 82aa7a7a-c2c3-47b4-ab32-cb35c0e41ffc,Group2,wsus.labrootad.local
## 82aa7a7a-c2c3-47b4-ab32-cb35c0e41ffc,Group3,wsus.labrootad.local

# Specify path to CSV and ensure CSV is similar to example.
$path = "C:\Temp\Test.csv";

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null;
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
Import-csv -path $path | foreach `
{
    $groupName = $_.grp;
    $computerName = $_.cName;
    $UId = $_.updateID;

    # Use '$false' to return CSV-specified update information only. That is, updates will not be approved.
    $approveUpdates = $true;
    #$approveUpdates = $false;

    $group = $null;
    $computer = $wsus.GetComputerTargetByName($computerName);
    $groups = $computer.GetComputerTargetGroups() | foreach `
    {
    If ($_.Name -eq $groupName) {$group = $_};
};
    if ($group -eq $null) {throw new-object System.Exception($computerName + " is not a member of group: " + $groupName)};

    # Use UpdateScope to 'filter' the list that will be used to match the CSV-specified UpdateId.
    $updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope;
    #IncludedInstallationStates [eg. All/Downloaded/Failed/Installed/NotInstalled/InstalledPendingReboot/NotApplicable/Unknown] - http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration.updateinstallationstates(VS.85).aspx
    $updateScope.IncludedInstallationStates = "All";
    #ApprovedStates [eg. Any/Declined/HasStaleUpdateApprovals/LatestRevisionApproved/NotApproved] - http://msdn.microsoft.com/en-us/library/bb313233(VS.85).aspx
    $updateScope.ApprovedStates = "Any";

    $action = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install;
    $updates = $computer.GetUpdateInstallationInfoPerUpdate($updateScope);
    $updates | foreach `
    {
        If ($_.UpdateId -eq $UId)
        {
        $u = $wsus.GetUpdate($_.UpdateId);
        #Properties [Title/State/Etc] - http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration.iupdate_members(VS.85).aspx
        Write-Host "Processing UpdateID: " $_.UpdateId;
        If ($approveUpdates) {$u.Approve($action,$group) | out-null}
        else {Write-host “Need to approve:" $u.Title};
        };
    };
};

How to determine Paged and Nonpaged pool limits

JVosloo — Sat, 19 Sep 2009 02:04:00 GMT

This is yet another article on how to determine Paged and Nonpaged pool limits. This method does not require internet access on the computer that we want to analyse.

I recently had a customer that experienced pool exhaustion on a failover cluster and this method helped to understand the effects of various changes (e.g. /3GB, PAE, more/less RAM) on the pool limits.

Steps

Download Process Explorer.
Create a folder e.g. <driveletter:>\symbols.
Download the applicable symbols e.g. Windows Server 2003 with Service Pack 2 x86 retail symbols, all languages.
Install the Symbols MSI or extract the files, depending on the installation source.
(Can be done on a non-prod computer)
Copy the symbols to <driveletter:>\symbols.
Run ‘procexp’.
Select Options > Configure Symbols.
Type <driveletter:>\symbols in Symbols Path.
Select View > System Information.
Note the values for Paged, Paged Limit and Nonpaged, Nonpaged Limit.