VASS v The Real World

For those fortunate enough never to have heard of VASS, it’s a site maintained by VCAA where school administrators can enrol students in VCE/VET courses and record results. While I’ve no doubt that the service the site provides is essential for our school and students, the site itself with it’s browser restrictions and configuration requirements make accessing the VASS website from anywhere impossible

While VCAA have recently published their requirements for Windows 7 and Internet Explorer 9, they have only done so and supported IE9 since January 2012, a lethargic ten months after the IE9 release.

While we currently use a GPO dedicated to the VASS browser settings for our SOE desktops, we weren’t prepared to wait for VASS to support IE9 before we updated our fleet of staff tablets to the latest browser. 

This time last year we were trialling RemoteApp for remote access to Synergetic, our school database system. We had an immediate need for our VASS Coordinator to access the VASS web site and obviously had problems after the IE9 update.

This week we were challenged again when we were asked to add RemoteApp VASS for two other members of staff. The challenge was with VASS’ ridiculous requirement for a unique USB dongle for each VASS user. We’d overcome this with our original VASS user by adding a floppy drive to the RemoteApp virtual server and using WinImage to create a virtual floppy disk from the USB dongle. The problem was that our VASS RemoteApp solution was limited to a single user!

Our RemoteApp server is running Windows Server 2008 R2 64bit with Internet Explorer 8 and already has the ridiculous VASS browser settings applied

We started by using WinImage to take copies of the two new USB dongles and copied the FLP files to the RemoteApp server

image

The next step was to create a batch file to check the logged on user for the VASS RemoteApp and load a virtual floppy with the users USB Dongle. Since the virtual floppy in VMware wasn’t an option for 3 different users, we found a utility called IMDISK which was perfect since it works on 64bit Server 2008 R2 and has the benefit of only being visible to the logged on user, so the these VASS users would only be able to see their own “USB Dongle”, not all three.

Now remembering that RemoteApp is just a clever way of using an RDP session into a server, we could use %username% in our batch file so IMDISK would load the desired virtual floppy

VASS.CMD
rem imdisk -d -m A:

if %username% == user1 imdisk -a -f c:\vass\user1vass.flp -s 1440K -m A:
if %username% == user2 imdisk -a -f c:\vass\user2vass.flp -s 1440K -m A:
if %username% == user3 imdisk -a -f c:\vass\user3vass2.flp -s 1440K -m A:

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.vass.vic.edu.au

NOTE: The first line dismounts any virtual floppy mounted at A:. This seemed to be a little unreliable and the virtual floppies seemed to get stuck unloading, and wouldn’t reload. This didn’t seem to be an issue with the way the RDP sessions work on the RemoteApp server

The last line of the VASS.CMD file loads the 32bit version of IE8 (remembering that the 64bit version is not supported by VASS) on the RemoteApp server and goes straight to the VASS login page.

The last step was to create add a new RemoteApp pointing to the VASS.CMD and distribute the new RDP file to those users

image

With this in place, it only takes a couple of minutes to add a new VASS user by taking an image of their USB dongle and updating the VASS.CMD file, and we’re looking forward to a Windows 8 / Internet Explorer 10 rollout later this year, knowing that VASS won’t be holding us back!

Pushing Microsoft Interactive Classroom

The Microsoft Interactive Classroom is a nifty tool for teachers to share their PowerPoint presentation with students running OneNote

“With Microsoft Interactive Classroom, students participate like never before while staying up-to-speed on instructor notes. It gives educators the power to add in-class polling and to share lessons over a wireless network. If a teacher updates a presentation, students capture the notes in real-time via Microsoft OneNote.”

Our staff trainer presented this to the teachers last night and with 460 student netbooks on campus, with another 320 coming in December, should get a bit of use.

We extracted the files from ICSetup.exe and used Altiris to push the InteractiveClassroom_O14.en-US_x86.MSI silently to our staff tablets and student netbooks. PowerPoint and OneNote gain an Academic menu which in PowerPoint is used to start a shared preso, and in OneNote is used to connect to the preso.

Even though we have separate VLAN’s for staff and students it was easy to get the machines talking to each other over the network. Most traffic seems to be over port 80, which is what we have allowed. The only restriction is that students have to manually enter the name of the staff machine to join the session

Windows GPO: Disable Adobe Updater for CS3 and CS4

We’ve known for a while that Adobe updates are too frequent and too large and annoying when you have a couple of hundred machines on the network with the Master Collection installed. Recently, we installed Viewpoint to give us reporting from our Sonicwall firewall, and we saw the impact that Adobe updates had on our internet connection and it was staggering. Adobe updates and Apple iTunes updates were the bulk of our traffic, which is no mean feat when we have 900 Students in the Senior School on Facebook.

Viewpoint_AdobeUsage 
Web Usage Report from Viewpoint

Luckily, Adobe have a registry key that can be used to enable/disable the Adobe Updater, and pushing the entry out to clients via Group Policy seems like the sensible option
http://kb2.adobe.com/cps/408/kb408711.html

On Windows XP or Windows Vista

  1. Using Regedit.exe, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe
  2. Create a new Key in this folder named "Updater"
  3. Create a new DWORD value within this Key named "Enterprise with a value of "1"

To try it out, I created the registry entries on my local machine and imported the entries into a new GPO with the Registry Wizard (Right Click on Registry in the Computer Configuration, and select New –> Registry Wizard)

AdobeGPO1 
Registry Keys imported into GPO

 
AdobeGPO2 
Registry Entries, Action set to Update

It’s important to remember to still update the Adobe applications, especially Acrobat and Flash. The Sophos Security Threat Report 2010 highlights the need to keep these two applications up to date. Malicious code can be executed from flash files embedded in PDF documents, Sebastian Porst has a superb write up on dissecting the Adobe/Flash exploit here, if you’ve got 10 minutes grab a coffee and read up.

You can download the Acrobat Updates manually from Adobe, and push them out to clients with msiexec.exe, check AppDeploy for specifics with your version of Acrobat, but something like this would do the trick

msiexec /p "%installdir%\AcroProStdUpd910_T1T2_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

msiexec /p "%installdir%\AcrobatUpd912_all_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

Which is from the Adobe forums and push it out with a script or via GPO

Netbooks: Setting Student as Admin’s during deployment

3761637114_47d8ac8cf0 As part of our config for the Student Netbook SOE, we’re going to make each Student an Administrator on their netbook. We don’t want to make every student an administrator on the machines, because of the security/privacy issues that may arise. If every Student is an administrator then it’s possible for them to log onto another Students machine and look/edit/delete/copy their files.

When we unboxed the netbooks we attached our Asset tags (BGSID) and used the barcode scanner to grab the BGSID and Serial for each netbook and put them into Excel. We thought we could use this data and run a post imaging script from Altiris to set the student admin on each machine after they’re sysprep’d and before they’re given out to Students.

We created a SQL database with one table, see below. The image shows our test data, but we’re able to copy the BGSID’s and Serials from the spreadsheet to the database and assign a username for each netbook. The database also has a field for MachineName, which is blank initially and is populated when the script is run. Altiris automatically names the machines, according to the template we’ve specified, but we thought it would be handy to grab the machine name and store it next to the Serial as the machines are assigned to Students.
We can also be sneaky, and use the StudentUserName field to query AD and grab the Student’s firstname and surname to make sticky labels for their machine and maybe their bags too… will see

image001

‘______________________ Start SetStudentAdmin.vbs __________________________
‘Option Explicit

dim adoConn, adoRS, adoStrm
Set adoConn = CreateObject(“ADODB.Connection”)
Set adoRS = CreateObject(“ADODB.Recordset”)
Call GetBGSID

‘_______________________________________________________________________

Sub GetBGSID()

Dim NetBookSerial

winmgmt1 = “winmgmts:{impersonationLevel=impersonate}!//.”
Set SNSet = GetObject( winmgmt1 ).InstancesOf (“Win32_BIOS”)

for each SN in SNSet
NetBookSerial = SN.SerialNumber
Next

adoConn.Open “Provider=SQLOLEDB;Data Source=lumberjack;User ID=sa;Password=12345;Initial Catalog=Netbooks;”
adoRS.Open “select * from netbooks where (Serial = ‘” & NetBookSerial & “‘)”, adoConn, 1, 3

Set objWshNet = CreateObject(“WScript.Network”)
strDomain = objWshNet.UserDomain
strComputer = objWshNet.ComputerName
Set objGroup = GetObject(“WinNT://” & strComputer & “/Administrators,group”)

strUser = adoRS.fields.item(3)

Set objUser = GetObject(“WinNT://” & strDomain & “/” & strUser & “, user”)

If Not objGroup.IsMember(objUser.ADsPath) Then
objGroup.Add(objUser.ADsPath)
End If
adoRS.fields.item(4) = strComputer

adoRS.Update
adoRS.Close
adoConn.Close

End Sub
‘______________________ End SetStudentAdmin.vbs ___________________________

Exchange 2007 Edge Server Licence

Earlier this year we migrated our Exchange 2003 setup to Exchange 2007 and all was going well for a while. Until we had noticed that our Edge Server thought it was unlicensed, even though we’d entered all the licence info as part of the initial Exchange config. A quick search found this handy PowerShell command for setting, or resetting, the Product Key for our Edge Server. I’m still impressed with how much PowerShell can do in Exchange/Windows, its definitely worth investing the time to learn.

< Power Shell CMD >
[PS] C:\Windows\System32>get-ExchangeServer

Name                Site                 ServerRole  Edition     AdminDisplayVersion
—-                —-                 ———-  ——-     ————–
JACKAL             BGS                  Mailbox,… Standard    Version 8.1…
CARLOS            BGS                  ClientAc… Standard    Version 8.1…
EDGE                BGS                  Edge        Standard… Version 8.1…
ZORO               BGS                  ClientAc… Standard    Version 8.1…

[PS] C:\Windows\System32>set-ExchangeServer Edge -ProductKey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
[PS] C:\Windows\System32>get-ExchangeServer

Name                Site                 ServerRole  Edition     AdminDisplayVersion
—-                —-                 ———-  ——-     ————–
JACKAL             BGS                  Mailbox,… Standard    Version 8.1…
CARLOS            BGS                  ClientAc… Standard    Version 8.1…
EDGE                BGS                  Edge        Standard    Version 8.1…
ZORO               BGS                  ClientAc… Standard    Version 8.1…

[PS] C:\Windows\System32>

Scripting Switch Configuration Backup

Here’s is a short VBS script which telnet’s into your ProCurve switch and sends a config backup to your TFTP Server. The code can easily be changed to telnet into pretty much any device that supports configuration via telnet.

This code is a modified version of a snippet posted on the VBForums

Dim objShell
Dim objNetwork

Set objNetwork=CreateObject("WScript.Network")

strTitle="Telnet Demo"
strDefaultServer="Server01"
strDefaultUser=objNetwork.UserDomain & "\" & objNetwork.UserName
strDefaultPassword="P@ssw0rd"

strComputer=InputBox("What server or device do you want to connect to?",_
strTitle,strDefaultServer)
If Len(strComputer)=0 Then WScript.quit



strPassword="password"

Set objShell=CreateObject("wscript.shell")
'Start Telnet
objShell.Run "Telnet " & strComputer
'Give app a chance to get started
WScript.Sleep 5000
objShell.AppActivate "Telnet " & strComputer

'Send login credentials
objShell.SendKeys strUsername & "~"
WScript.Sleep 2000
objShell.SendKeys strPassword & "~"
WScript.Sleep 2000

'Send commands
WScript.Sleep 200
objShell.SendKeys "~"
WScript.Sleep 200
objShell.SendKeys "copy startup-config tftp 172.16.1.15 "& strComputer &"_config.txt"
WScript.Sleep 1000
objShell.SendKeys "~"

'give lengthy commands time to finish
'WScript.Sleep 10000

'make sure we get window again
objShell.AppActivate "Telnet " & strComputer
'run another command
'objShell.SendKeys "net share"
'WScript.Sleep 200
objShell.SendKeys "~"

'Close session
'make sure we get window again
objShell.AppActivate "Telnet " & strComputer
objShell.SendKeys "exit"
WScript.Sleep 200
objShell.SendKeys "~"
objShell.SendKeys "exit"
WScript.Sleep 200
objShell.SendKeys "~"
WScript.Sleep 200
objShell.SendKeys "y"
objShell.SendKeys "~"
WScript.Sleep 200
objShell.SendKeys "~"

Save this text in a .vbs file and run via “cscript switchbak.vbs“ from the command line

If your modifying the script to run on something other than a ProCurve switch ,you may have to tweak/add/remove the Sleep and SendKeys ”~” . Using the SendKeys and the tilde will send a carriage return to the telnet session

Also, if you’d like to run this script you will need a TFTP server, free download from Solawinds

To make the back script a useful tool I’ve set it to run and query an MS SQL database to get the addresses for our ProCurve switches and have scheduled it to run regularly. I will post an update with how I’ve set that up sometime soon. The Script is essentially the same but I’ve removed the prompt for the device address and added the database connection query, will post the details shortly

If you have setup the ProCurve Manager then you may find this post redundant, but, I’ve found it to be a handy script to have, and send backup config files to a server where they are easily accessible in a disaster, hopefully…