Admin Guide. Version Lieberman Software Corporation

Transcription

1 Admin Guide Version 7.50 Lieberman Software Corporation

2 Copyright Lieberman Software Corporation. All rights reserved. The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If there are any problems in the documentation, please report them to Lieberman Software in writing. Lieberman Software does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software. Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other brands and product names are trademarks of their respective owners. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA Internet [email protected] Website:

3 iii CONTENTS INTRODUCTION... 1 Overview... 1 Prerequisite Knowledge... 2 Performance Notes... 2 License Agreement... 3 Limited Warranty... 4 MAIN DIALOG... 7 Main Dialog Pull-Down Menus... 8 MANAGED SYSTEMS LISTS Create Management Sets...12 Exclusion List...16 Adding Systems to a Simple Management Set...17 Add From Domain Systems List...18 Add From Network Browse List...19 Add From Shell Network Browse List...21 Add Systems Manually...22 Add From Active Directory...24 Browse Options Add From IP Scanned Range...28 Import/Export Systems List...28 Adding Systems to a Dynamic Management Set...30 Dynamic Set Name and Comment...33 Dynamic Set Domains...34 Dynamic Set IP Address Ranges...36 Dynamic Set Active Directory Paths...36 Dynamic Set Data Sources...41 Dynamic Set Explicit Inclusions...43 Dynamic Set Explicit Exclusions...44 Dynamic Set Filter Options...45 Dynamic Set Options...46 Change Management Set Properties...47 Import Management Sets...49 Import from a Comma-Delimited File...49 Import from ODBC Datasource...50 Set the Database Connection String SQL Statement Retrieving the Data using the Database Import from a Scanned IP Range...54

4 Contents iv Restore Internal Database from a RegEdit file...54 Import Settings from Remote License Server...54 Backup Management Sets...55 Backup Internal Database to RegEdit File...55 Export System Sets to a Comma...55 Export Settings to Remote License Server...56 Delete Management Set...57 Delete Internal Database...57 MANAGE SYSTEMS DIALOG Manage Systems Dialog...60 Manage Systems Dialog Pull-Down Menus...62 Manage Systems Dialog System List Columns...65 System Name Resolution...67 Selecting Machines...68 Highlight Lists...68 Refresh Info (Get Role/Version)...68 Update Management Set...69 View Management Set Update Log...69 Stop Current Operation...69 Remove Systems from Management Set...69 Highlight Connected Machines...70 Physically Identify Machine(s)...72 Generate Report on Systems in Management Set...73 OPERATIONS Managing Users...76 User Actions...78 User Fields...79 Random Password Generator...85 Random Password Generator Options Random Password Recovery Random Password Change Automatic Report Generation User Name...94 VPN\Dial-in Settings...95 Active Directory Specific Fields...97 User Fields and Active Directory Exchange Mailbox Creation Multi-User Operations Specifying the Datasource Adding Multiple Users Updating Multiple Users Deleting Multiple Users

5 Contents v Mapping Dynamic User Fields to Data Preview Multi-User Changes Managing Windows Groups Local Groups Global Groups Managing Windows Group Members Local Members Global Members Managing Rights Rights Fields Managing Policies Policies Fields Managing Auditing Managing the Registry Registry Edit Registry Permissions Managing Event Log Settings Managing Files, Applications, and Updates Push/Run Application File Operations File Lockout Miscellaneous Operations Send Message Send Wake on LAN Packet Reboot and Abort Reboot Reporting Types Accounts User Account Report Computer Accounts Report Logged on Accounts Report Event Logs Event Log Settings Report Event Log Entries Report Files Network Shares Report Files Report File Permission (NTFS) Report Groups Local Groups Report Global Groups Report Local Group Members Report Global Group Members Report Installed Software

6 Contents vi Windows Updates Installed Software Report VNC Instances Report Registry Registry Values Report Security Audit Settings Report Local Security Policy Report Rights Report Trusts Report WMI - Windows Management Instrumentation WMI Properties Reporting Other Report Types Report Results Get Info Notes and Tips Scheduled Reporting Reporting Options Job Results Dialog REPORT GENERATOR / OUTPUT SETTINGS Report File Output Type HTML Edit Dialog Post-Generation Action Server Settings Overview SMTP Settings: General SMTP Settings: Outgoing Server SMTP Settings: Logging Options IP SCANNER DIALOG IP Scanner Menu - File Import Subnet List Export Scanned Entries IP Scanner Menu - Options Thread Maximum Override IP Scanner Menu - Scan Subnet IP Scanner Menu - Report Generator IP Scanner Menu - Alternate Administrators Administrator Accounts Menu - Add IP Scanner Menu - Exclusion List Systems Excluded From all Operations Vulnerability Testing ALTERNATE ADMINISTRATORS Administrator Accounts Editor

7 Contents vii DEFERRED PROCESSING Scheduling Options Jobs Monitor Dialog Jobs Monitor Menu Items Editing a Job Job Scheduler Service Installation Job Scheduler Log File Dialog Job Scheduling Check Interval REMOTE CONTROL Setting up VNCPass Open VNC Connection VNC Options Import Settings from a.rcm File Install/Remove VNC on System Start/Stop/Restart the VNC service Set VNC Password Troubleshooting VNC sessions PROGRAM SETTINGS General Options Logging Options Registration Dialog Use Remote License License Token Assignment Application Components About Logon Information Dialog Security Lockdown Settings REVISION HISTORY INDEX

8 1 INTRODUCTION This chapter includes an overview of what User Manager Pro's goals are, knowledge that users are assumed to have, some background information on User Manager Pro's multi-threaded nature and performance information, and a background on the nature of how groups and actions work in Windows. Also in this chapter you can find directions to the License Agreement and a copy of the limited warranty agreement that come with the software. IN THIS CHAPTER Overview... 1 Prerequisite Knowledge... 2 Performance Notes... 2 License Agreement... 3 Limited Warranty... 4 OVERVIEW Welcome to User Manager Pro. If you have purchased the product, read on to discover all the features at your disposal. If you are just evaluating the product, we hope you will be very pleased with its capabilities. If you are familiar with NT s User Manager or User Manager for Domains, Computer Management in Windows 2000 and later, or Active Directory, you will find User Manager Pro's user and group management features very familiar. However, instead of making changes to only one machine or domain controller, you can control thousands of machines with a single mouse click - with all of the results logged to a human readable text file. But user and group management is only the beginning. With rights and auditing changes, advanced registry editing, reporting, remote reboot, automatic deferred retry, Wake on LAN, IP Scanning, and many other features, User Manager Pro is one of the most advanced and functional high- performance administration tools you can use. If you have ever bothered with PERL, VB or Kixtart scripts to control the configuration of your Windows users, groups, rights, registry or policies on your workstations, you will be exceptionally happy with the speed, ease of use, and power that this tool gives you.

9 Introduction 2 PREREQUISITE KNOWLEDGE Before we begin, we assume that you are already an experienced Administrator for Microsoft Windows. You should be familiar with basic networking, managing users and groups, and typical administration tasks. More advanced operations may require more specialized knowledge. User Manager Pro is designed to make administration tasks quick and easy for the skilled administrator; not to teach administration. If you have problems or need assistance in the installation and operation of this product, you can contact us for assistance - we want your installation and operation to be a smooth and successful experience. If you plan on using a Microsoft SQL Server installation to store the reporting data for reports generated in User Manager Pro, we recommend that you be familiar with the administrative concerns that go along with updating and maintaining an instance of SQL Server (or have a database administrator that is familiar with these issues). Topics that you should be aware of include: Securing the database, creating access roles to allow access to your users, patching the database and keeping up to date with updates, backing up/or and auditing the database to ensure you don't lose your stored data. You can keep up to date on the latest upgrades via our web site at or you can us at: [email protected]. PERFORMANCE NOTES Most operations take about one second per system or less. Operations on large groups of systems are processed in parallel so you will see many operations completing simultaneously. User Manager Pro is a multi-threaded management system (by default User Manager Pro will use up to 100 worker threads). The software will automatically exploit all available processors to enhance the performance of the program. User Manager Pro operations utilize only moderate network bandwidth, and do not exceed the bandwidth requirements of comparable operations using built-in Windows tools. When operating over a WAN (Wide Area Network), you will see some degradation in overall completion times due to packet transmission delays. Because of User Manager Pro's multi-threaded operation, communication with many systems will be happening concurrently, so network delays will not be cumulative. If you chose to cancel multi-threaded operations in User Manager Pro, you must wait for all running threads to complete or time-out before performing another operation. There is almost always an on screen indicator that shows that current number of active threads.

10 Introduction 3 LICENSE AGREEMENT This is a legal and binding contract between you, the end user, and Lieberman Software Corporation. By using this software, you agree to be bound by the terms of this agreement. If you do not agree to the terms of this agreement, you should return the software and documentation as well as all accompanying items promptly for a refund. 1. Your Rights: Lieberman Software hereby grants you the right to use User Manager Pro to manage the licensed number of systems purchased. This software is licensed for use by a single client and its designated employees, contractors and authorized 3rd parties to manage the systems owned/used by a single client. The software license may not be shared with unrelated 3rd parties. The serial number provided by Lieberman Software is designed for installation on a specific machine. You many install an unlimited number of copies of User Manager Pro for your administrators that connect to the single licensed machine. All administrators can share the pool of purchased managed node licenses. There are no limits to the number of web servers or clients that may access the data stored by your licensed copy of User Manager Pro. You may install and use the User Manager Pro: Web Interface to Random Password Generator Password Recovery Console with your duly licensed copy of User Manager Pro + Random Password Generator without any additional payment to Lieberman Software. The cost of Microsoft web servers, SSL certificates, and other supporting equipment and technology are the sole responsibility of the user of this software-not Lieberman Software. 2. Copyright. The SOFTWARE is owned by Lieberman Software and is protected by United States copyright law and international treaty provisions. Therefore, you must treat the software like any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes. The manual is a copyrighted work also--you may not make copies of the manual for any purpose other than the use of the software. 3. Other Restrictions: You may not rent, lease, or transfer the SOFTWARE to any other entity. You may not reverse engineer, de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If the SOFTWARE is an update, any transfer must include the update and all prior versions. 4. Notice: This software contains functionality designed to periodically notify Lieberman Software of demo usage and of the detection of suspected pirated license keys. By using this software, you consent to allow the software to send information to Lieberman Software under these circumstances, and you agree to not hold Lieberman Software responsible for the use of any or all of the information by Lieberman Software or any third party.

11 Introduction 4 When used lawfully, this software periodically transmits to us the serial number and network identification information of the machine running the software. No personally identifiable information or usage details are transmitted to us in this case. The program does not contain any spyware or remote control functionality that may be activated remotely by us or any other 3rd party. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA Internet [email protected] Website: LIMITED WARRANTY The media (optional) and manual that make up this software are warranted by Lieberman Software Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of your purchase. If you notify us within the warranty period of such defects in material and workmanship, we will replace the defective manual or media. The sole remedy for breach of this warranty is limited to replacement of defective materials and/or refund of purchase price and does not include any other kinds of damages. Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the programs or documentation of/for consequences of any such errors. This agreement is governed by the laws of the State of California. Should you have any questions concerning this Agreement, or if you wish to contact Lieberman Software, please write: Lieberman Software Corporation 1900 Avenue of the Stars Suite 425

12 Introduction 5 Los Angeles CA You can also keep up to date on the latest upgrades via our website at or us at: [email protected].

13

14 7 MAIN DIALOG The initial screen of User Manager Pro presents a list of machine management sets that can be managed. These management sets will contain the systems that will be managed or reported on. There are no hard limitations on the number of management sets that can be created. Management Sets may be created based on management requirements and/or the topology of the network. Many customers create sets for domain controllers, Servers, Workstations, different physical locations, and LAN/WAN sites. The advantage of management sets is to present systems in an organized way to perform administration. There are two different types of management sets in User Manager Pro, simple (see "Adding Systems to a Simple Management Set" on page 17) and dynamic (see "Adding Systems to a Dynamic Management Set" on page 30). Simple management sets have static lists for system membership. Dynamic management sets are defined by ranges where all systems within those ranges are included in the management set. Dynamic management sets can be used to manage a set of systems that are defined by a domain, an Active Directory OU, or a specific IP address range, where the actual systems in that may vary.

15 Main Dialog 8 Initially there are no management sets, so at least one must be added (see "Create Management Sets" on page 12). Then proceed with populating the management set with machines (see "Adding Systems to a Simple Management Set" on page 17), followed by reporting on and/or making changes to those same systems. On the bottom right side of the screen is the current License Mode. Local Machine means a license is installed on the local system. If the entry is Remote: ServerXXX then a license key is being shared from the named server. On the bottom left side of the screen are options to manage management sets. Activate launches the management interface of the selected management set, Add creates a new simple management sets to manage, and Delete deletes the (highlighted) management set(s) from the list of management sets. IN THIS CHAPTER Main Dialog Pull-Down Menus... 8 MAIN DIALOG PULL-DOWN MENUS SETTINGS General Options - Set up the general program options like threading, wait time, and process order. Logging Options - View, print, or change the save location of User Manager Pro's log file. Reporting Datastore Options - Configure User Manager Pro to use the registry or a SQL database as its reporting data store. PROGRAM Backup Internal Database to RegEdit File - Copies the entire internal database used by the program to a RegEdit file. Restore Internal Database from RegEdit File - Restores the entire internal program database from a RegEdit file. Delete Internal Database - Removes the internal program database from the registry. GROUPS

16 Main Dialog 9 Import from Comma-Delimited File - Updates management sets from a comma-delimited backup file. Import from ODBC Datasource - Updates management sets from an ODBC data source. Export to Comma-Delimited File - Copies the management set list and members database to a comma-delimited file. Import Settings from Remote License Server - Import program settings from the remote license server. Export Settings to Remote License Server - Export the system settings to the remote license server. Scan IP Rangers for Systems - Use the IP Scanner to add/update systems. Activate Selected Management Set - Open the currently selected management set. Add Simple Management Set - Creates a new empty management set. Add Dynamic Management Set - Creates a new empty dynamic management set. Remove Selected Management Set - Remove a management set from the program. Management Set Properties - Change the name of a management set or change the management set comment. Find Systems in Management Sets - Locate a specific system in a management set. DEFERREDPROCESSING Jobs Monitor - Opens the Jobs Monitor dialog. Retry Policy - Opens the Retry Policy dialog to adjust handling of errors. HELP Help Contents - Displays this help file. Show Tip of the Day - Shows the Tip of the Day. License Token Management - The License Token Dialog allows assigning or releasing license keys to systems. Licensed Components - Displays a list of the features that are enabled. Register - Allows entering registration information. Show Logon Info - Displays current logon information. Revision History - Displays the product's revision history. Check For Updates - Checks the web for any recent updates to User Manager Pro About - Displays version, product, and license information.

17

18 11 MANAGED SYSTEMS LISTS Systems that will be managed are organized into lists called management sets. This allows creation of logical groupings of systems based on their type, operating system version, physical location, or any other personal organization scheme. This chapter describes how to create and manage lists of systems. A system must be located in one or more management set before performing operations on it. This chapter includes all the ways to add or remove systems from the program as well as the ways to backup system list and program data. There are multiple ways to add systems to the current management set. To access these features, either select them off the context menu (right click in the systems list window) or click on the SystemsList menu option. Add from Domain List (see "Add From Domain Systems List" on page 18) - This is the fastest way of adding systems that have joined a trusted domain. This uses the NT4 style domain browser. Add from Browse List (see "Add From Network Browse List" on page 19) - The easiest way to find machines using the network browse list. Add from Shell Browser (see "Add From Shell Network Browse List" on page 21) - Add systems from the Windows shell network browser. Add Systems Manually (on page 22) - For machines that are not visible or have not joined the domain. Add from Active Directory (on page 24) - To add machines using the Object Picker under Windows 2000 and later. Add from IP Scanner - Add machines by specifying IP Address ranges or domains. Import Systems List from a Text File - Import a list of systems from a text File. Export Systems List to a Text File - Export a list of systems to a text File.

19 Managed Systems Lists 12 IN THIS CHAPTER Create Management Sets Exclusion List Adding Systems to a Simple Management Set Adding Systems to a Dynamic Management Set Change Management Set Properties Import Management Sets Backup Management Sets Delete Management Set Delete Internal Database CREATE MANAGEMENT SETS Choose to create a dynamic management set or a simple management set. Dynamic management sets contain a variable list of systems and are built on criteria such as location on Active Directory, domain membership, or operating system type. This list of systems is updated automatically. Simple management sets are managed entirely by hand. Choose one of three ways to create a dynamic management set (see "Adding Systems to a Dynamic Management Set" on page 30): Click on the Add button from the Management Set to Manage Panel. Select the Add Dynamic Management Set option from the Groups menu. Select the Add Dynamic Management Set option from the context menu (right-click menu). Choose one of the three ways to create a simple management set (see "Adding Systems to a Simple Management Set" on page 17):

20 Managed Systems Lists 13 Click on the Add button from the Management Set to Manage panel. Select the Add Simple Management Set option from the Groups menu. Select Add Simple Management Set from the context menu (right-click menu). Click the Add button to begin the process of adding a management set:

21 Managed Systems Lists 14 A simple management set that contains only the local host system. A dynamic management set that uses the local domain as the source from which to draw a list of systems. A custom simple (see "Adding Systems to a Simple Management Set" on page 17) management set that has no members. Manually choose which systems to add to the management set. A custom dynamic (see "Adding Systems to a Dynamic Management Set" on page 30) management set that has no initial settings. Define the criteria that the management set will use to populate itself.

22 Managed Systems Lists 15 After selecting an option to add a new management set, additional steps may be required based on the selection. If creating a management set with only the local system, a window like the one below will open and already have the UMP host system in it. If creating a management set with all the systems in the same domain as the local system in it, a windows like the one below will open with all systems from the local domain (as according to the local domain controller) will open. If creating a custom simple management set, the window below will open with no systems added. If creating a custom dynamic management set, the dynamic properties dialog will open and criteria must be provided to dynamically build the list of systems for the management set.

23 Managed Systems Lists 16 EXCLUSION LIST The Exclusion list allows specifying system names that this tool will not be allowed to modify or report on. These could be servers or administrator machines, or maybe just sensitive machines. The exclusion list is program wide. This menu can be accessed from the Systems Excluded from all Operations under the SystemsList menu of any management set. Shown Below is the Exclusion List dialog. Use the Add and Delete buttons to manually change the Exclusion List entries or use the Import List button to load a line delimited text list of systems. If making a change to a system in the Exclusion List, a special confirmation pop-up confirming the change will appear.

24 Managed Systems Lists 17 ADDING SYSTEMS TO A SIMPLE MANAGEMENT SET There are various different ways to add systems to a management set manually once the set has been created: Add from domain systems list. Add from network browse list. Add from shell network browse list. Add systems manually by name Add from Active Directory Add from scanned IP ranges. Import/Export Systems List from text file. These methods are in addition to the IP Scanner and ODBC query, which can both be used to create a new management set.

25 Managed Systems Lists 18 ADD FROM DOMAIN SYSTEMS LIST Shown below is the Add from Domain List dialog. The fastest method of adding Windows systems to this program is to inquire at the Domain Controller for the list of machines which have joined the domain. There are a few confusing cases when viewing servers in the domain list. The machine list may not represent all of the machines on the network (some machines may not have joined the domain). The list usually contains systems that have left the domain, but have not been purged from the domain database. After adding machines to the Selected Systems list, use the Platform? button to verify the connectivity, credentials, and version of the selected systems. The Platform? feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added.

26 Managed Systems Lists 19 The Platform field indicates what operating system type is running. The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing Platform?), there are columns to display the Platform, Version (4.0 is NT, 5.0 is Windows 2000, 5.1 is Windows XP, 5.2 is Server 2003, 6.0 is Windows Vista/2008, 6.1 is 7/2008R2, 6.2 is 8/2012, 6.3 is 8.1/2012R2), Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both a Workstation and Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation. ADD FROM NETWORK BROWSE LIST Shown below is the Add From Network Browse dialog.

27 Managed Systems Lists 20 To add a machine using the Network Neighborhood browsing architecture of the operating system, press the Insert key on the keyboard or the Browse button on the Manage Systems dialog. If working with systems that have not joined a domain (workgroups), the easiest way to find and add them is to use the Network Browser architecture of Windows. This dialog allows browsing the different network providers (Microsoft, Novell, Banyan), and then drill down to find the different machines on each network. After adding machines to the Selected Systems list, use the Platform? button to verify the connectivity, credentials, and version of the selected systems. The Platform? feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added. The Platform field indicates what operating system type is running. The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing Platform?), there are columns to display the Platform, Version (4.0 is NT, 5.0 is Windows 2000, 5.1 is Windows XP, 5.2 is Server 2003, 6.0 is Windows Vista/2008, 6.1 is 7/2008R2, 6.2 is 8/2012, 6.3 is 8.1/2012R2), Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both a Workstation and Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

28 Managed Systems Lists 21 ADD FROM SHELL NETWORK BROWSE LIST The Shell Network Browser dialog allows browsing the network for systems to add using the shell's browse functionality. This may be helpful for adding machines from organizational units in Active Directory, since the shell allows browsing of the Active Directory hierarchy. In this view, organizational units are represented as folders in the hierarchy. If creating a separate set for each organizational unit in the company, populate the sets easily using this dialog. After adding machines to the Selected Systems list, use the Platform? button to verify the connectivity, credentials, and version of the selected systems. The Platform? feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added. The Platform field indicates what operating system type is running.

29 Managed Systems Lists 22 The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing Platform?), there are columns to display the Platform, Version (4.0 is NT, 5.0 is Windows 2000, 5.1 is Windows XP, 5.2 is Server 2003, 6.0 is Windows Vista/2008, 6.1 is 7/2008R2, 6.2 is 8/2012, 6.3 is 8.1/2012R2), Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both a Workstation and Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation. ADD SYSTEMS MANUALLY Shown below is the Add Systems Manually dialog. In cases where machines are not visible within the Network Neighborhood, and have not joined the domain, systems may need to be added manually. After adding machines to the Selected Systems list, use the Platform? button to verify the connectivity, credentials, and version of the selected systems. The Platform? feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added. The Platform field indicates what operating system type is running.

30 Managed Systems Lists 23 The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing Platform?), there are columns to display the Platform, Version (4.0 is NT, 5.0 is Windows 2000, 5.1 is Windows XP, 5.2 is Server 2003, 6.0 is Windows Vista/2008, 6.1 is 7/2008R2, 6.2 is 8/2012, 6.3 is 8.1/2012R2), Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both a Workstation and Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

31 Managed Systems Lists 24 ADD FROM ACTIVE DIRECTORY Shown Below is the Add Systems from Active Directory dialog on the Active Directory Browse page. When running on Windows 2000 or later, a special Active Directory control known as the Object Picker may be used to find systems. The default options for the control are to show both up-level (native and mixed mode) systems, as well as, down level systems (NT). Options to search any desired domain controller or selection of a desired directory can be specified here. The Browse Options (on page 25) page is detailed in the following section.

32 Managed Systems Lists 25 BROWSE OPTIONS Shown below is the Browse Options page of the Add From Active Directory Dialog. The Browse Options page shows the available options to put into effect when the "Browse " button is clicked on the first page. There is typically no need to change the browse options, but if changes are made on the "Browse Options" page and then return to the first page and then click on the "Browse" button to see the results of the new options. The default options are to browse for machines in up level and down level domains to which the host system is joined. The default domain is the currently logged on user account is authenticated with and the search is performed from the local machine. ACTIVE DIRECTORY BROWSE OPTIONS TARGET COMPUTER These options allow controlling where searches are to be performed. Normally these options should be ignored. Use these options to extract machine lists from foreign/non-active Directory domains.

33 Managed Systems Lists 26 Skip Target Domain Controller Check - Set this flag if the computer is not a domain controller, to save time. However, if the machine is a domain controller, this flag would not typically be set. It is usually best to select domain objects from the domain scope rather than from the domain controller itself. Target Computer (optional) Allows specifying where to execute the search via the text entry field below the check box. Set the check box and set the field to a non-active Directory domain controller to see a list of machines that have joined that domain (The "Skip Target Domain Controller Check" should be unchecked in this scenario). If the "Target Computer" entry field is blank, the current machine is the target computer. ACTIVE DIRECTORY SCOPE OF PROVIDER SEARCH These options allow controlling which data source is to be used for the machine search. Generally, leave all of these options unchecked. Force Starting Scope as - Sets the first entry in the "Look in" drop down to the option selection. Normally the drop down will default to its own choice. Provider - These options are different data sources for searches. LOOK-IN OPTIONS Up level Joined Domain - Search the up level domain to which the target computer is joined. If this flag is set, use the "Up level Domain Controller" entry field to specify the name of a domain controller in the joined domain. Up level Domain Controller Field - This field can be blank even if the "Up level Joined Domain" is checked, in which case, the dialog box looks up the domain controller. This entry field enables specifying a domain controller in a multi-master domain. For example, an administrative application might make changes on a domain controller in a multi-master domain, and then open the object picker dialog box before the changes have been replicated on the other domain controllers. Down level Joined Domain Search the down level domain to which the UMP host computer is joined. Enterprise Domain Search all Active Directory domains in the enterprise to which the target computer belongs. If the Up level Joined Domain check box is set, then the results represent all Active Directory domains in the enterprise except the joined domain. External Up level Domain Search all up level domains external to the enterprise but trusted by the domain to which the target computer is joined. External Down level Domain Search all down level domains external to the enterprise but trusted by the domain to which the target computer is joined. Workgroup Search the workgroup to which the target computer is joined. Applies only if the target computer is not joined to a domain.

34 Managed Systems Lists 27 User Entered Up level Scope Enables entry of an up level scope. If neither of the "USER ENTERED " types is specified, the dialog box restricts the query to the scopes in the "Look in" drop-down list. User Entered Down level Scope - Enables entering a down level scope.

35 Managed Systems Lists 28 ADD FROM IP SCANNED RANGE This option will open up the IP Scanner (see "IP Scanner Dialog" on page 223) to scan TCP/IP Address Ranges for systems that respond to the currently logged on credentials. Once the ranges are defined systems found, use the IP Scanner's export options to add systems to system sets. As this feature successfully contacts each machine on the list it inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added. IMPORT/EXPORT SYSTEMS LIST There are following methods listed under the SystemsList Import/Export Systems List menu item to import or export systems lists:

36 Managed Systems Lists 29 Import System List from Text File Export System List to a Text File These methods make it easy to import systems lists from text files. An import will require a previously created list of systems that is properly formatted. Properly formatted text files of systems lists have one system name per line.

37 Managed Systems Lists 30 ADDING SYSTEMS TO A DYNAMIC MANAGEMENT SET A Dynamic Management Set is a set which contains all the systems found in one or more ranges. The range can be any combination of IP address ranges, domains, active directory containers, database queries, or explicit inclusions. This range can be further customized by the use of operating system filtering options. The following diagram illustrates the various different ranges that can all be used within a dynamic set. For this dynamic set, the system list will include systems found in all of these ranges. Because the system list for a dynamic management set is pulled dynamically from a range, the set can stay in sync with a changing network configuration without user intervention. The list of systems in a dynamic set is re-scanned on a recurring (customizable) interval. A dynamic set may be configured to add any new systems found in the range to the set and/or release systems from the set that are no longer in the inclusion range. The following diagram, depicts the flow of events in the cycle of a dynamic management set.

38 Managed Systems Lists 31 The purpose behind dynamic management sets is to create a set that will dynamically update its system list to match the current state of the managed range, without having to manually add and remove systems when the network is reconfigured. By default, Dynamic sets are checked every 30 days for new systems in the network configuration and old systems which have lost contact are removed after 90 days of inactivity. Additionally, systems may be removed from the set if they are not found within the range after a re-scan. An example of a dynamic system set would be a dynamic system set managing the domain MyDomain. After setting up the domain to be scanned every ten days in the options page, the program will scan the range and add all systems in the MyDomain to the systems list for the set. During the month, three systems are removed from the domain and four new systems are added. At the start of the next month the product will refresh information for all the systems on MyDomain. The Windows domain

39 Managed Systems Lists 32 membership has changed, but the system set will have synchronized automatically. The dynamic system set has been scanning the domain for membership every 10 days and already has the current system list for MyDomain. To create a dynamic system set click on Add System Set from the System Set menu in the main dialog or select then choose Custom Management Set. Each aspect of the dynamic set is described in the following sections. Enter a unique name for a new system set. The other available configuration options for dynamic sets are: A comment. A range for the dynamic set using one or more of the following: Domains, IP Address Ranges, Active Directory Paths, and Data Sources. An Explicit Inclusions entries list for systems to be included that may be outside of the range. An Explicit Exclusion entries list for systems that will be in the range but should not be managed. Filter Options to limit set membership to specific names of systems, operating system versions, or system types. Options to specify how often the range is scanned for new systems and under which conditions old systems should be removed from the set.

40 Managed Systems Lists 33 DYNAMIC SET NAME AND COMMENT Shown below is the Name/Comment tab. Specify a name for the set and an optional comment. These properties are identical to their simple set equivalents. Use any characters desired to specify set names except "\\".

41 Managed Systems Lists 34 DYNAMIC SET DOMAINS Shown below is the Domains tab. Use this tab to add domains by the domain's NetBIOS name (NT style). If the domain in question is an Active Directory domain, use the Active Directory Paths tab instead.

42 Managed Systems Lists 35 Add new domains to the dynamic range by clicking the box button in the upper-right of the list control. Either manually enter the name of the domain, or browse for domain names using the "..." button. It is also possible to specify a system to get a list of trusted domains. Type in the name of the domain controller and click Refresh. This will populate the dialog with a list of trusted domains.

43 Managed Systems Lists 36 DYNAMIC SET IP ADDRESS RANGES Shown below is the IP Address Ranges tab. Use this tab to scan a range of IP addresses to find systems. Add new IP Address ranges to the set by clicking the box button in the upper-right of the list control. For help on how to specify IP Address ranges, see the IP Address Entries Section of the IP Scanner chapter. Any systems found within the IP range that authenticate will be included in the dynamic set. Only systems that respond are added to the set through the IP Scanner. Systems that are off-line will not be added to the set through the IP Scanner. DYNAMIC SET ACTIVE DIRECTORY PATHS Shown below is the Active Directory Paths tab. The Active Directory Paths tab is used to include and subsequently exclude systems from the management set. Use this tab to add entire Active Directory domains, or portions of the domains such as OUs and containers. The exclude path is actually a subset of

44 Managed Systems Lists 37 the include path. If it is desired to exclude systems that would otherwise be included from the management set, then add those systems to the Explicit Exclusions tab.

45 Managed Systems Lists 38 Add new Active Directory paths by clicking the box button in the upper-right of the list control. Systems found using these paths will be included in the dynamic set. Add as many LDAP paths as desired. Click the ellipses (...) to the right of the LDAP Path field to browse Active Directory. If unable to browse Active Directory, type in the name of a domain controller in the Active Directory field followed by the path to the container that should be included. When creating systems lists, the Filter Options [tab] can be utilized to look for specific names or operating system versions. Using this process, quite a bit more bandwidth than is necessary is utilized if the systems being looked for are to be found in AD. The reason this is an expensive operation, is that using the filtering options tab, each system must contacted to determine if it meets the criteria defined on the 'Filter Options' tab. In total, it means the systems list is derived from AD first and then imported into the systems list. Then a series of secondary connections are made to the target systems to identify if the system meets the filtered list of criteria. The systems list is then re-filtered to contain only systems that meet the filter. The larger downside is that if a system is off-line during this operation, this process

46 Managed Systems Lists 39 cannot be performed and thus the system will remain in the systems list and potentially be managed if the list is not updated prior to the job running. If everything is in AD, the best practice is to use a custom LDAP query to aid in finding and filtering for systems. The most obvious benefit is the cost of this query: a single LDAP query to one domain controller to obtain all the information needed without ever contacting the target systems or performing post filtering for each system in the systems list. When generating an LDAP query, be aware of how the query is formed the rules follow those of regular expressions but the syntax is slightly different. * = anything, any number of characters. As in joe* would return joe, joey, joe , etc.? = single character. As in jo? would return joe, joy, jot etc. (pipe) = or & = and! = not Single expressions are all grouped with parenthesis. For example: (objectcategory=computer) Would return every computer at the target LDAP container. To include multiple expressions, join them with an & and a set of parenthesis. For example, to find all computers whose account name started with LA: All computers = (objectcategory=computer) Name starts with LA = (samaccountname=la*) Would be written as: (&(objectcategory=computer)(samaccountname=la*)) To include multiple expressions, join them with an & and a set of parenthesis. For example, to find all computers whose account name started with LA, but excludes Windows 2003 systems: All computers = (objectcategory=computer) Name starts with LA = (samaccountname=la*) Windows 2003 Operating System = (operatingsystem=windows Server 2003) Would be written as: (&(&(objectcategory=computer)(samaccountname=la*))(!(operatingsystem=windows Server 2003))) To include multiple expressions, join them with an & and a set of parenthesis. For example, to find all computers whose account name started with LA, but excludes Windows 2003 or Windows XP systems:

47 Managed Systems Lists 40 All computers = (objectcategory=computer) Name starts with LA = (samaccountname=la*) Windows 2003 Operating System = (operatingsystem=windows Server 2003) Windows XP Operating System = (operatingsystem=windows XP) Would be written as: (&(&(objectcategory=computer)(samaccountname=la*))(!( (operatingsystem=windows Server 2003)(operatingSystem=Windows XP)))) Break apart the last query to see the steps a little easier - (& ) (& ) (! ) (objectcategory=computer)(samaccountname=la*) ( ) (operatingsystem=windows Server 2003) (operatingsystem=windows XP) Queries can be much more or less complex than what is shown here. Any attribute present in Active Directory may be used for a possible query. Three additional and useful computer filters are: Disabled account: useraccountcontrol: :=2 Domain Controllers: useraccountcontrol: :=8192 Global Catalogs: (&(objectcategory=ntdsdsa)(options: :=1)) To find all computers and exclude all disabled computer accounts: All computers = (objectcategory=computer) Disabled account: (useraccountcontrol: :=2) Would be written as:

48 Managed Systems Lists 41 (&(objectcategory=computer)(!(useraccountcontrol: :=2))) DYNAMIC SET DATA SOURCES Shown below is the Data Sources tab of the Dynamic Set sheet. Use this dialog to query an existing database to return a list of systems to manage. To add queries to the list, click the box in the upper-right corner of the list. Add entries to this list using the following dialog. Either supply a specific connection string or click the ellipses (...) to begin a Microsoft wizard to generate the connection string.

49 Managed Systems Lists 42 Note, if the option of Allow manual editing of connection string is selected and the database connection is performed using an explicit account rather than Windows integrated authentication, the password will be shown in clear text. Supply a properly formatted query to return the desired system names; only the system names should be returned from the query. Each resulting row from the query is expected to contain one value, which is the name of a system to be included in the set.

50 Managed Systems Lists 43 DYNAMIC SET EXPLICIT INCLUSIONS Shown below is the Explicit Inclusions. Use this tab to manually define entries that should always appear in this set. Using Explicit Inclusions, specify one or more systems by name that will be included in the set whether or not they are discovered by other means. Example: System ASQL01 is added to the Explicit Inclusion list. When the domains, IP address ranges, and Active Directory paths (which make up the dynamic set range) are scanned and the system ASQL01 is not found in those ranges, the system ASQL01 is still added to the system list of the set. When the set is refreshed, the system ASQL01 will not be removed from the set unless it has been removed from the Explicit Inclusions list (or placed on the Explicit Exclusions list). Systems placed on both the Explicit Inclusions list and Explicit Exclusions lists will be excluded from the set.

51 Managed Systems Lists 44 DYNAMIC SET EXPLICIT EXCLUSIONS Shown below is the Explicit Exclusions tab. Use this tab to manually define systems which should always be excluded from the set regardless of any other discovery or inclusion properties. Using Explicit Exclusions, a set of systems that will never be included in the set, even if they are within the discovery range, can be defined. Use this option to prevent the accidental addition of certain sensitive systems to the list, such as domain controllers or servers. Example: System SERVER is the domain controller for the domain MyDomain. System SERVER should not be managed using the tool, but it is part of the MyDomain domain, which is part of the dynamic set range. The system SERVER is added to the Explicit Exclusion list. When the set is refreshed, SERVER will be found in the MyDomain domain, but SERVER will not be added to the list of managed systems even though it is included within the domain. Subsequent refreshes of the set will not cause SERVER to be added to the list of managed systems until it is removed from the Explicit Exclusions list. Systems placed on both the Explicit Inclusions list and Explicit Exclusions lists will be excluded from the set.

52 Managed Systems Lists 45 DYNAMIC SET FILTER OPTIONS Shown below is the Filter Options tab. Use this tab to filter systems by their role, operating system, or name. This option may be used to filter any and all of the other inclusion criteria such as Domains, IP Address Ranges, etc. However, it is not recommended to use this tab when including systems from Active Directory. Specifically, Active Directory stores all of this information already. Using this dialog will force the product to add all systems found from Active Directory, then subsequently attempt a connection to each system to see if it meets the filter criteria. This can cause a job that could be performed in a single 20 second query to AD to take minutes to complete. When using Active Directory paths, it is recommended to use a custom LDAP query to filter systems by name, role, or operating system type. Filter Options allows specifying a system name filter string (when scanning for new systems), system type matching, and OS version matching. System names which do not match the filter will be excluded from the set. The filter string can include one or more "*" as wild cards for matching systems. Do not

53 Managed Systems Lists 46 use "?" to specify a single character wild card. Only system names which match all filter criteria will be included in the set, all other systems will be filtered out. When using filter options, this tool will attempt a connection to the identified system in order to determine what operating system version it is. If the filter options are left in their default state (or reverted if changed) when creating sets, the tool will not attempt a connection to the system when it adds it to the set. This means a dynamic set with filter options enabled will take longer to update its systems list than will a dynamic set not using filter options. Example: Manage all the systems that contain 'SALES', such as SALES1 and WORKSTATION_SALES. by specifying a name filter of "*SALES*". DYNAMIC SET OPTIONS Shown below is the Options tab. This tab defines how often the set will automatically update and if it will remove systems from the set automatically.

54 Managed Systems Lists 47 These options handle the automatic addition/removal of systems to or from the set. Adjust how often the program checks the range of the set for new systems to add to the set by selecting the Update management set every option. If the Update management set every option is not checked, the set must be manually refreshed by selecting Update System Set from the SystemsList menu. The first two options deal with removal of systems from the set. If the first option is selected and a computer is no longer found in the configured ranges it will be removed from the dynamic set. If the second option is selected and a system has not been contacted for 90 days, it would be automatically removed form the list. For example: The set is configured to include all systems from LDAP://dctr/ou=wks,dc=mydomain,dc=com. When the set was first configured the list, there were three hundred systems in the OU. Today, 20 of those systems were decommissioned and removed form that OU. With the first option selected, when the dynamic set updates the systems list, those 20 systems would be removed from the systems list as well. Without the first option selected, they would continue to remain in the list indefinitely or if the second check box is selected, once they have not been contacted for 90 days. CHANGE MANAGEMENT SET PROPERTIES After a management set has been created, it may be necessary to change the properties of that set. For a simple set, this means simply changing the name and/or comment; for a dynamic set, these properties include the scan ranges, inclusion and exclusion lists, scan options, and filter options. There are three ways to change the comment field for a set:

55 Managed Systems Lists 48 Select the management set and click Management Set Properties from the Groups menu. Select Management Set Properties from the context menu (right-click menu) for the groups list. Select Management Set Properties from the SystemsList menu in the Manage Systems dialog. Doing any of these in conjunction with a simple management set will display the dialog shown below. Changing the properties of a dynamic management set will open the full dynamic management set property page. For more information about Dynamic management set, see Dynamic Management Sets (see "Adding Systems to a Dynamic Management Set" on page 30). When finished editing the management set properties, click OK to save any changes.

56 Managed Systems Lists 49 IMPORT MANAGEMENT SETS This tool offers various ways to create sets of machines to administer: 1) Import from a comma-delimited file. 2) Import from an ODBC data source. 3) Import from scanned IP ranges. 4) Restore management sets from a Regedit file. 5) Import from a Remote License Server. IMPORT FROM A COMMA-DELIMITED FILE This tool allows importing lists of systems from CSV files. This means that it is possible to store system lists in a text file or generate a system list from another program and then load it into a management set. To import from a comma-delimited file, simply select the directory and file name of the file containing the system list and click Open. A properly formatted text file will contain comma-delimited data in three columns: 1) The management set name 2) The management set comment 3) The machine name Example: Windows Servers,All Windows machine,server-xyz

57 Managed Systems Lists 50 IMPORT FROM ODBC DATASOURCE Many organizations are more than happy manually setting up system sets and populating those system sets manually from domain or browse lists. On the other hand, large companies that have a constantly changing inventory of machines under management will find manual methods cumbersome. The ODBC import capability allows this program to set-up its management sets and machine members from a database of systems. Source databases can be comma-delimited files, Excel spreadsheets, and SQL Server databases. In fact, almost every database today has an ODBC interface that is compatible with this program. To use this feature, system set data should be located in three columns within the data source: one column for corresponds to set name, another to set comment, and a third to system name. GETTING STARTED Before using this feature, permission to access to the database containing the information is required. Next, set up a data source (also known as a DSN). This is under administrative tools. Lastly, identify which table contains the system set and machine name information as well as the column names for that information. Remember that the machine name must be the NetBIOS machine name or the TCP/IP address (although this is not nearly as friendly). The last part is to set up the program to perform the import and create a little snippet of SQL code to do the retrieval.

58 Managed Systems Lists 51 Below is the ODBC dialog: Each part of the dialog and example steps to set up a simple interaction is described below. Set the Database Connection String (on page 52) SQL Statement (on page 53) Retrieving the data using the database (on page 53)

59 Managed Systems Lists 52 SET THE DATABASE CONNECTION STRING Click on the button to the right of the Database Connection String entry field. Machine Data Source. Select the tab for If the data source is already configured, select it from the list and click on the OK button. If the data source is not created, click on the New button. Using the wizard, create a data source to point to the database. This will involve picking a device driver, giving the data source a name, and finding it (attaching to it). Make sure an ODBC compatible data source is configured. When all of the steps are completed correctly, the database connection string will become available: DSN=SYZCORP;DBQ=D:\SysMgr\xyz.mdb;DriverId=25;FIL=MS Access;MaxBufferSize=2048;PageTimeout=5;

60 Managed Systems Lists 53 SQL STATEMENT Now write a simple piece of SQL code into the SQL Statement field. This is nothing more than a single line of text that tells the ODBC driver what table to use in your database as well as which fields to retrieve. The format of the code is: Select "field1", "field2", "field3" from Table Optionally, add a second line containing a qualifier such as: Select "field1", "field2", "field3" from Table Where Table.field4 = Windows NT or other such qualification to make sure that only the correct records are retrieved. The returned fields are used as follows: field1 Group Name field2 Group Comment field3 Machine Name or IP Address When retrieving data from an Excel database, put the Table portion of the SQL statement in square brackets [Table]. RETRIEVING THE DATA USING THE DATABASE To execute the SQL code against the data source, click on the Get Data button. In the log at the bottom of the dialog note the statistics of the retrieval (example statistics): Unique Groups: 244 Unique Comments: 5 Unique Machines: 1569 At the top of the dialog are the retrieved records. The retrieved records show which system sets will be created as well as the machine names that will be added to those sets. To import all of these sets and machines, click on the Apply button. To merge into an existing system sets, leave the check box: Replace all existing sets and machines with this data unchecked. If the existing data should be purged and replaced with the retrieved data, set the box to the checked state.

61 Managed Systems Lists 54 IMPORT FROM A SCANNED IP RANGE Use the IP Scanner to scan IP Ranges for systems and then use the resulting systems list to create a new management set. To perform this operation: 1) Click on the Scan IP Ranges for Systems from the Groups menu. 2) Setup the IP Scan to find the systems to include in the management set. 3) Click on Export Scanned Entries from the File menu in the IP Scanner. 4) Select an option for creating new management sets or importing into an existing management set. 5) Click OK. The tool will state how many total machines were added to the target management set. For more information about using the IP Scanner, see IP Scanner. RESTORE INTERNAL DATABASE FROM A REGEDIT FILE To restore all the internal database information from a backup RegEdit file, click on Restore Internal Database from a RegEdit file from the Program menu on the main dialog. Now select the name of the backup file and the path to that file. Choose to merge the backup with the current data if new management sets were added that should be kept, or choose to replace the current internal database with the backup which will overwrite any existing management sets. Click OK to complete the restore. Note: An appropriate serial number for the host system or remote access to a licensed system will be required. IMPORT SETTINGS FROM REMOTE LICENSE SERVER Import Settings from Remote License Server allows importing User Manager Pro settings from another Remote License Server onto the current machine. These settings include all program data and configuration including management sets, preferences, logging options, alternate administrators and scheduled jobs.

62 Managed Systems Lists 55 BACKUP MANAGEMENT SETS There are various ways to backup existing management sets: 1) Backup Internal Database to Regedit File. 2) Export to Comma Delimited File. 3) Export Settings to a Remote License Server. BACKUP INTERNAL DATABASE TO REGEDIT FILE The option to Backup Internal Database to RegEdit File will save all the internal management sets and settings to a regedit file. Specify a path and a file name for the new backup file. This to backup may be used to backup program settings or transfer settings from machine to machine. Backup the program management set database (program management sets and system information) to a regedit file. If using the random password generator add-on, it is possible to backup just the stored password portion of the program database. This operation can also be scheduled. The backup will be scheduled as an AT task on the local machine with default AT task settings. EXPORT SYSTEM SETS TO A COMMA To backup all program information including management sets to a CSV file, choose the Export to Comma-Delimited File from the System Set menu on the main dialog. This will save the system list database to a comma-delimited text file. Specify a path and a file name for the new backup file. The text file is human readable and can be used to backup system sets for disaster recovery or to transfer set information from one computer to another.

63 Managed Systems Lists 56 EXPORT SETTINGS TO REMOTE LICENSE SERVER When using remote licensing (license sharing) the management sets and other settings are not automatically shared between all of the management consoles. To push or pull settings between remote license servers, go to the Groups menu on the main dialog and select either Export settings to remote license server. If Importing from the remote license server, use the Import settings from remote license server. This option will only be available when remote licensing is in use. This will copy all the program settings to the Remote License Server. The local machine must be connected to the remote system specified in the Registration dialog. When using this option, all information regarding management sets, machine information and more will be sent to the remote system. This will update any existing management sets and system information that are on the remote license server. This operation will not remove any additional management sets or system information that are found only on the remote system. This feature can be used to synchronize management set information between multiple administrators that work on the same sets of systems from different physical locations. Click Yes to continue with the update.

64 Managed Systems Lists 57 DELETE MANAGEMENT SET This deletes the selected management set(s). Select one or more management sets to delete, then click the Delete button in the lower left of the main dialog. DELETE INTERNAL DATABASE This deletes the program's internal database from the registry. Use this option to remove all program configuration information from the local registry including: management set information, system information, job information, alternate administrators, dialog settings, database settings, report settings, and deferred processor settings. Please note that when using an external database to store reporting results data, the reporting data will not be deleted using this operation. Licensing information is also not affected by this operation. This operation will not affect the registry of a remote license server when using remote licensing.

65

66 59 MANAGE SYSTEMS DIALOG This chapter describes the Manage Systems dialog and its basic features. To open a management set once it has been created, either double-click the management set from the main dialog or highlight the management set and click the Activate button. IN THIS CHAPTER Manage Systems Dialog Manage Systems Dialog Pull-Down Menus Manage Systems Dialog System List Columns System Name Resolution Selecting Machines Highlight Lists Refresh Info (Get Role/Version) Update Management Set View Management Set Update Log Stop Current Operation Remove Systems from Management Set Highlight Connected Machines Physically Identify Machine(s) Generate Report on Systems in Management Set... 73

67 Manage Systems Dialog 60 MANAGE SYSTEMS DIALOG The Managing Systems dialog is shown below. It is the launching point for most operations within User manager Pro. Although this dialog looks a little intimidating, it is really simple and quick to use. The general idea of the program is to highlight one or more systems, then click on one of the Category of information to set buttons to perform a management action or the Get Info button to perform a report. Below the title bar is the systems list. This is the list of all the systems that are a part of the current management set. The list can be sorted by any of the columns by clicking on the corresponding column heading to toggle between ascending and descending order.

68 Manage Systems Dialog 61 The Systems List area located at the center left of the dialog contains buttons for adding and removing systems from the current management set. These mechanisms are shortcuts to operations which are documented in Adding Systems to a Simple Management Set (on page 17) in the Managed Systems Lists chapter. All the operations performed by these buttons can also be found in the SystemsList menu. The Select area contains buttons to assist with system selection such as selecting all systems or no systems. The buttons located in the Category of Information to Set area below the list of machines are actually shortcut buttons for common tasks. This may look a bit cluttered, but it makes common administration tasks a lot faster. These features are each covered in their own chapters in this document. The Get Info button brings up the Reporting (see "Reporting Types" on page 147) dialog and allows running various reports on selected systems. The Multitasking area shows how many active worker threads the program currently has running and outstanding. Multi-threading settings can be adjusted using the Max Threads option in the Multitasking area to optimize performance. The stop button tells all the current threads to stop. Pressing the stop button during an operation will not quit the current operation. Rather, when the threads return with the information they will be ignored. The net result is that time will be saved by not having to process or render the data that was gathered. The Select/Highlight Systems Lists allows generating lists of highlighted systems to make changes to. To create a new list of highlighted systems, simply highlight them and click on New, and then name the new list of systems. In the future, to select those systems again, just double-click the named highlight list entry. Changes to the list can be saved using the Save button and systems lists can be deleted using the Delete button. The highlight lists allow easy selection of groups of systems to make moving between operations and target systems that much quicker. Each highlight list is comprised of one or more systems from the systems list. An example of this feature in use would be creating a highlight list composed of all servers in the systems list and another for all workstations. While the management set contains both servers and workstations, it is now easy to select only workstations or servers for management. The status field displays what the program is doing at the present moment. Number of Items in list is the number of systems in the current management set. The progress indicator is an estimated indicator of how much of the current task is completed. The Log: Open button is used to open the User Manager Pro transaction log. This log may also be opened by double-clicking in the log window at the bottom of this dialog or by selecting View from the Settings View Logging Options menu item.

69 Manage Systems Dialog 62 MANAGE SYSTEMS DIALOG PULL-DOWN MENUS SETTINGS General Options - General program options. Logging Options - Options for logging. Data Store Configuration - Configure the reporting results datastore. Settings - Set up SMTP settings. Application Components - View and configure settings for program components used by User Manager Pro. Alternate Administrator Accounts - Set up alternate accounts used to handle cross-domain operations. SYSTEMSLIST Add From Domain Systems List - Choose systems to add to the current management set from a list of all the systems in a domain. Add From Network Browse List - Add systems using the simple network browser. Add From Shell Network Browse List - Add systems using the built-in Windows shell network browser. Add From Manual Name Entry - Add systems by manually entering the system name. Add Using Active Directory Picker - Add systems using the built-in Active Directory Object Picker. Scan IP Ranges for Systems - Use the IP Scanner to add systems. Import/Export Systems List - Import or export lists of systems to the management set. Update Management Set - Scan the dynamic ranges ranges of the active management set for changes in network configuration (add new systems or remove old systems). View Management Set Update Log - View the log for this management set's update history. Management Set Properties - Set the properties of the current management set. Remove Systems From Management Set - Remove the selected machines from the management set. Remove Duplicate Systems - Remove multiple instances of the same machine from the management set. Systems Excluded from all Operations - Edit the Exclusion list containing systems that are not normally modified by User Manager Pro. Generate Report on Systems in Management Set - Use the report generator to export information about systems in the management set. DEFERREDPROCESSING

70 Manage Systems Dialog 63 Jobs Monitor - Monitor, edit, add, stop current jobs. Retry Policy - Edit the global retry policy for jobs. MANAGE Users - Manage users. Password Recovery - Recover "remembered" password changes/updates. Primarily used by the Random Password Generator. Multi-User Change - Allows performing mass user account operations: add, update, and delete. Local Groups - Manage Local Groups. Local Members - Manage Local Group Members. Global Groups - Manage Global Groups. Global Members - Manage Global Group Members. Rights - Manage rights on systems. Policies - Manage security policies on systems. Auditing - Set up the settings for auditing. Event Log Settings - Manage settings for different types of event logs on systems. Registry Keys/Values - Edit Registry Keys and values for selected machines. Registry Perms - Assign permissions to specified registry keys. File Operations: File Lockout - Lockout files from being run, read, copied, deleted, or changed. Push/Run Application - Copy file(s) to remote machine and run them. MISC Refresh Info (Get Role/Version) - Refresh the system information about the selected systems. Scheduled Refresh - Schedule a refresh job to happen for the selected systems on a reoccurring basis. Reboot - Reboot selected machines. Abort Reboot - Abort any pending reboot commands for selected machines. Send Message - Send a text message to selected machines. Send Wake on LAN Packet - Send a Wake on LAN Packet to the selected machines. Schedule Wake on LAN Packet - Schedule a Wake on LAN packet to be sent to the selected systems. Physically Identify Machine(s) - Make systems perform physical operations to identify them. Play Music Eject/Load Removable Media

71 Manage Systems Dialog 64 Highlight Connected Machines - Highlight machines connected to selected machines. Resolve Systems By - Define the method that the program uses to identify and communicate with systems. System Name NetBIOS Name IP Address REPORTING: Reporting - Opens the reporting dialog. Same as Get Info button. Advanced Reporting On Users Logged On Accounts Local Group Members Global Group Members Windows Updates Rights Event Log Entries Registry Values Files System Info from WMI Network Shares File Permissions Manage Stored Reports - View reports that have been run previously and saved to the database. This option is only available if the program is configured to store reporting results in a SQL Server database. Reporting Options - Configure how to handle report data after reports are complete. Reporting Data Store - Configure the reporting results data store. REMOTECONNECTION (Note that these options require that downloading and installing the additional VNCPass application from our website)

72 Manage Systems Dialog 65 Open Terminal Service Session - Attempts to connect to terminal services on the selected system(s). Auto-Open VNC Connection - Attempts to open a VNC connection and logon to selected system(s). Open VNC Viewer - Opens a VNC connection to the selected system(s). VNC Options - Edit VNC options. the remote These options include locations of the VNC service for copying to systems, local VNC viewer settings, additional command line options, and security/password settings. Import VNC Settings from.rcm File - Allows importing VNC settings from a pre-existing.rcm file. Install VNC on System(s) - Installs the VNC service on the target system(s). Remove VNC from System(s) - Removes the VNC service from the target systems(s). Start VNC Service on System(s) - Starts the VNC service on the target system(s). Stop VNC Service on System(s) - Stops the VNC service on the target system(s). Restart VNC Service on System(s) - Stops and then start the VNC service on the target system(s). Set VNC Password - Sets the password on the target system(s) for the VNC service. HELP Help Contents - Opens this help file. Show Logon Info - Show the current logon information. Revision History - Opens the product's revision history. Check for Updates - connect to Lieberman Software's website to see if there is a new version of User Manager Pro. About - Opens the about box for license, version, and product information. MANAGE SYSTEMS DIALOG SYSTEM LIST COLUMNS The main window has one row for each machine in the current management set. Each row is defined by the following columns: System (with status) - This is the name of the system for addressing and display purposes. When User Manager Pro attempts operations on this system, it will use this name to identify the system on the network (unless selecting a different resolution mechanism (see "System Name Resolution" on page 67) than the default). The status shows the last connection or operation result (green = good, yellow = unknown/intermediate, red = failed). Machine Comment - This column displays the computer's description from its machine's network settings.

73 Manage Systems Dialog 66 License Status - This column shows whether or not the system has a license token assigned to it. If a system has just been added to a management set, this column will show '?'. If the machine has been managed, the value will be YES. Role - This is the main role for the system. This can be WS (Workstation), SRV (Server), PDC (Primary Domain Controller), or BDC (Backup Domain Controller). The role determines the operations which are possible on that server (e.g. machines with a role of WS or SRV cannot accept global group changes). In Active Directory, the PDC is the machine that holds the PDC emulator FSMO role. Version - The internal (NT) version of the operating system. Possible values are: Windows NT 4 = NT4, 4.0 Windows 2000 = W2K, 5.0 Windows XP = XP, 5.1 Windows Server 2003 = 2003, 5.2 Windows Vista = 6.0 Windows Server 2008 = 6.0 Windows 7 = 7, 6.1 Windows Server 2008 R2 = 2008 R2, 6.1 Windows 8 = 8, 6.2 Windows Server 2012 = 2012, 6.2 Windows 8.1 = 8.1, 6.3 Windows Server 2012 R2 = 2012 R2, 6.3 Resolve By - This is the network identifier which is used to resolve the system on the network. For more information, see the name resolution page (see "System Name Resolution" on page 67). NetBIOS Name - The NetBIOS name of the machine. NetBIOS names must be unique on a local area network, but may be duplicated on different networks. IP Address - The IP address of the system. Subnet Mask - The subnet mask for the IP address. If this is blank, User Manager Pro could not access the remote machine, or could not find the IP address in the machine's network configuration information. DHCP - Yes means that the address was assigned by a DHCP server for this machine, No means that the IP address is fixed (static). MAC Address - This is the hardware address of the network card to which the IP address is assigned. This value is hard coded in the card itself, but may be overridden in Windows. information is used for Wake on LAN operations. This

74 Manage Systems Dialog 67 Domain - the NetBIOS name of the domain or workgroup the machine belongs to. Connection Speed - this column is hidden between the Domain and Checked columns and must be expanded, shows the speed of the last connection attempt. Checked - This is the last time User Manager Pro attempted connecting to the machine. Status - The status for the last operation which was done against the machine. This value updates dynamically as operations are in progress, and will often indicate what step of an operation is currently in progress on that machine. The columns can be resized to accommodate viewing needs (for example, to reduce the size of unneeded columns). User Manager Pro will remember the last sizes for all the columns of the main window. SYSTEM NAME RESOLUTION When adding systems to a management set, there are various methods which can be used to resolve computer names. This product supports NetBIOS names, system names (fully qualified DNS or simple), and IP addresses. There are valid reasons to use each depending on network configuration. IP addresses can be used, but they have two problems: they don't necessarily provide a very meaningful identification for a machine, and they may be re-assigned through DHCP. Both of these problems might cause an administrator to make changes on the wrong machine inadvertently. With a DNS name, a machine can be specified in both an easily identifiable way, and a way which is insensitive to changes in the machine's IP address through DHCP as long as DHCP and dynamic DNS are linked together. To check if a name is resolvable, try pinging the machine by name from the command line interface. If the ping resolves to the correct machine, the solution be able to use that name to manage the machine (it uses the same resolution mechanism as ping does). Note: Being able to ping a computer is not an indication the computer will be manageable but rather indicates if that name is responsive on the network. Management of the computer is dependent on other systems such as SSH, RPCs, etc that are not tested with a simple ping. When the program does a Get Role/Version (Refresh) operation, it retrieves the NetBIOS name and IP address of each managed machine. By default, the computer is resolved by whatever name is in the System column (which can be a NetBIOS name, an IP address, or a DNS name). The resolution method can be changed by right-clicking on the computer(s), and selecting a Resolve By option. This will cause the product to use the alternate name of the computer for name resolution. In most cases, however, the computer name should be sufficient for name resolution. In addition; the other information can then be examined to make sure operations will affect the correct system(s).

75 Manage Systems Dialog 68 SELECTING MACHINES Select machines in the systems list by clicking on them. Select multiple machines by using CTRL+Click to select multiple specific systems or SHIFT+Click to select a range of systems. HIGHLIGHT LISTS This feature allows saving and recalling lists of highlighted systems within a set. Use multiple selection lists together to combine sets. The Highlight Lists panel is located in the Manage Systems dialog on the right side of the dialog in the section labeled Select/Highlight System Lists. To save a list of highlighted systems, first highlight the machines that should be a part of the list and then click on New. Enter the new name for the list of selected machines and click OK. The list created will appear on the Highlight Lists panel. To select the systems in the list, simply highlight the name of the list and click Select or double-click on the name. To edit a highlight list, simply select the machines that will make up the new list and then highlight the highlight-list-name and click Save. To delete highlight lists, just select the lists and click Delete. Note that this list is additive in nature and that highlighting a list of systems using the highlight list feature does not de-select any currently selected systems. REFRESH INFO (GET ROLE/VERSION) This command refreshes the current selected system(s) and all properties of each system. If no systems selected then every system in the management set will be refreshed. To perform a refresh, select one or more systems or no systems then select Misc Get/Role Version, or press F5, or select Refresh Info (Get Role/Version) from the context menu. A system refresh attempts to connect to all selected systems using the current credentials (and optionally any supplied alternate credentials) and attempts to retrieve the system information such as system name, the current domain (if the machine is in a domain), system name resolution type, operating system version, IP address, DHCP, MAC Address, primary system role, and current status. Performing a refresh does not cause the assignment of a license token (see "License Token Assignment" on page 271) to a system.

76 Manage Systems Dialog 69 System information can also be refreshed on a scheduled basis by using the Schedule Get Role/Version Info from the Misc menu. Information in this display can be exported to CSV or HTML file by selecting Generate Report on Systems in Management Set from the SystemsList menu. See Report Generator / Output Settings (on page 205) for further details. UPDATE MANAGEMENT SET To update a management set go to SystemsList Update Management Set. This option will re-scan the discovery ranges of the current management set. If additional machines are found in the range, they will be added to the management set. Updating dynamic management set members will also test any new alternate administrator identities to see if any more machines in the management set can be managed using the additional credentials. Depending on the dynamic management set settings, systems that have been out of contact may be removed from the management set during an update as well as systems that are no longer found within the range of the dynamic management set. This option will only be active when you are currently managing a dynamic management set. VIEW MANAGEMENT SET UPDATE LOG To view the update log for the management set go to SystemsList View Management Set Update Log. This will display the log file for the active management set updates. The log will show when the management set was updated in addition to the changes that were made to the system list as a result of the updates. STOP CURRENT OPERATION This sends a message to all the current threads to stop working on the current task. Note: The actual operations may take some time to stop. For example, if the program is performing a network call when the stop is initiated (which is common), the thread will not be able to stop until the network operations time-out. Due to the way Windows is designed, forced termination of threads may have bad side-effects, so UMP will wait for threads to finish or timeout when the stop button is clicked. REMOVE SYSTEMS FROM MANAGEMENT SET There are three ways to remove systems from the current management set. remove: Highlight the systems to 1) Click Remove Systems from management set from the SystemsList menu.

77 Manage Systems Dialog 70 2) Click Delete Systems from the context menu (right-click menu) of the systems list in the Manage Systems dialog. 3) Press the Delete key on the keyboard. HIGHLIGHT CONNECTED MACHINES To see all of the machines and users connected to any WIndows machine in the network and then use that information (i.e. send messages, reboot systems etc.), the highlight connected machines feature will be very useful. To identify all users and systems connected to a specific system, go to Misc Highlight Connected Machines from within any management set:

78 Manage Systems Dialog 71 If the Machine to draw connection list from: field is blank, the program will automatically show all of the connections to the shares of the local machine. To see the connections on another machine, change the field from blank to the name of the machine of interest (for example, a server), then click on the Refresh button. The first list (top) shows all of the shares with active connections where the share name, connected user account, and machine making the connection are shown. It is not unusual to see blank Connected Users fields. The top list is for information only. The bottom right field shows the complete list of users that are using shares on the selected machine. This list is for information only. The bottom left field shows the complete list of machines that are referenced in the top list. This list will be used for selecting systems in the current management set. Tip: Get the most current list of connections at any time by clicking the Refresh button. All of the lists will be refreshed.

79 Manage Systems Dialog 72 To highlight all of the referenced machines (lower left pane) within the current management set, click on the Apply button. If any of the machines in this list are not in the current management set, a confirmation pop-up asking if to add the missing systems to the current management set will appear. After adding the systems to the current management set, the newly added systems will be highlighted and will be ready to manage. Tip: after completing the highlight operation, save the set of highlights under a name of your choice by clicking on the New button in the highlight area (right part of main dialog). PHYSICALLY IDENTIFY MACHINE(S) The Physically Identify Machine(s) feature will cause the selected machine(s) to perform physical actions so that machines can be physically identified and matched to their name in the systems list. This feature can be accessed from the Misc menu when any management set is activated. Simply select one or more machines and choose Physically Identify Machine(s). Play Music - This causes the remote machine to play music. changeable. Currently, the sound played is not Eject/Load Removable Media - This causes the remote machine to eject and close its removable media tray if one is present.

80 Manage Systems Dialog 73 GENERATE REPORT ON SYSTEMS IN MANAGEMENT SET Use Generate Report on Systems in Management Set to export the list of systems and all the visible system settings to a report using the built-in Report Generator. Using the Report Generator (see "Report Generator / Output Settings" on page 205), the user can view, print, archive, or the system information to one or more recipients.

81 Manage Systems Dialog 74

82 75 OPERATIONS This chapter outlines the operations that can be performed within this tool and what to expect when these operations succeed or fail (see "Job Results Dialog" on page 203). IN THIS CHAPTER Managing Users Managing Windows Groups Managing Windows Group Members Managing Rights Managing Policies Managing Auditing Managing the Registry Managing Event Log Settings Managing Files, Applications, and Updates Miscellaneous Operations Reporting Types Job Results Dialog

83 Operations 76 MANAGING USERS This section describes how to create and modify users on the systems in management sets. It is possible to create, modify, and delete users on any Windows system in the product. If managing the domain controller then these new users or new settings are applicable to the domain accounts for that domain. Shown below is the Users dialog. There are three ways to open this dialog while in a management set: 1) Click Manage Users. 2) Right-click on one or more machines and select Users from the context menu. 3) Click the Users button from the central panel in the Manage Systems dialog.

84 Operations 77 The users that are created, changed, or deleted affect all highlighted machines. are selected, then there will be no changes. Note that if no systems This dialog allows adding new users on to systems, change existing user properties, delete users, and set scripts and profiles for users (applicable to local logons if on local machines). When finished configuring the dialog, click Apply to make the changes or SCHEDULE (see "Deferred Processing" on page 241) to use the Job Scheduler to make changes at another time.

85 Operations 78 USER ACTIONS In the User's dialog, the action area (top left) determines whether UMP will add, update, or delete users from the systems. If updating a user or set of users (rather than adding or deleting), the check boxes to the left of each field determine whether or not that specific aspect of the user is updated during the operation. For example, if updating a user and it is only desired to change the password, only check the update box next to the password information. This will ensure that none of the other user information is updated during this operation. Only the fields that have been marked for update will be active during an update operation. If deleting users, none of the fields will be active except the user name field. Delete all except required users: This option is used to remove all of the user accounts except for those specified in the accompanying editable list box. Use this option to clean up unwanted accounts on workstations/servers so that only approved accounts are in each target system. THIS OPTION CAN BE USED TO GET RID OF EXTRA ACCOUNTS THAT REPRESENT SECURITY RISKS. The list of required users can be drawn from any machine (workstation, server, or domain controller). Before any accounts are deleted from target machines, the list of required users must already be found on each target machine. If any of the required users are missing, all deletions on that machine will be aborted with a message in the log explaining what user(s) was/were found missing. It is possible to override this protection and delete extra accounts (Delete even if some users are missing), however this action might leave no way to access the machine being changed. Affecting Renamed Built-in Administrator or Guest Account: All NT (and later) machines have the built-in (and non-removable) accounts Administrator and Guest.

86 Operations 79 These accounts alway shave the same relative ID (RID). The built-in administrator is always 500 and the built-in guest is always 501. For enhanced security, these accounts sometimes renamed. To affect the built-in Administrator account without specifying it by name, use the identifier *A. To affect the built-in Guest account, use the identifier *G. These reserved values can only be used in the original user name field. In order to change any other account on the target systems, they must be referenced by the actual user name. USER FIELDS These fields are where the information for the user account is stored. They can be filled out when a user account is created, or changed when a user account is edited. They are irrelevant when an account is deleted. Users managed through this interface will all receive the same settings. To create or manage multiple users and give them unique settings, use the Multi-User Change (see "Multi-User Operations" on page 102) feature rather than the Users dialog. Special Cases: The left side of the Users dialog contains the special cases handler. These settings will identify what to do when conflicts arise during the management process such as duplicate names. ORIGINAL AND NEW NAME FOUND - This case happens when revising the user name of an existing user and both the old and the new name are found.

87 Operations 80 No Action - Do nothing, do not create the new user. Delete Original - Delete the original user and create the new user. Delete New and Rename Original - Do not create the new user and change the old user name to the new name. ADD OPTIONS If user already exists, do an update instead - This option indicates if the target user is already found on the systems, then an update will automatically be performed instead to set the new attributes. UPDATE OPTIONS

88 Operations 81 Add missing User - If the user is not found on the systems, then add the user with the updated fields. Reset locked out account - If the user has been locked out, then the user account will be automatically unlocked. Basic User Settings: The center portion of the User's dialog contains settings for user name,description and password updates. USER NAME (ORIGINAL) - this is the name of the target user or users. For more information and options, please refer to the User Name (on page 94) section. REVISED NAME - Change the name of an existing user on all selected machines.

89 Operations 82 FULL NAME - This is the full descriptive name of the user. DESCRIPTION - A description of this user. USER COMMENT - A comment field to supply any additional information about this user. PASSWORD OPTIONS - These fields handle setting the password for the user's account. Options for settings password include fixed, which sets a static unchanging value, or a random password. The Random Password option will only be enabled if the optional Random Password Generator (RPG) feature has been enabled. For more information on the RPG feature, please refer to the Random Password Generator (on page 85) section. ACCOUNT TYPE - An account can either be derived from one of three types, Guest, User, or Administrator. The differences between them determine what type of privileges the account has by default. If performing this operation on a domain controller, the user will be made a Domain User or a Domain Administrator if User or Administrator is selected. Note that if a user is selected to be an administrator that they will not be made a member of the Users or Domain Users group. Account Flags Use the account flags area in the top right of the User's dialog to control the password and account disable flags of the target user accounts.

90 Operations 83 Password NOT Required - This means that the user is allowed to have a blank password. User Must Change Password at Next Logon - The next time this user logs in, they must change their password. User Cannot Change Password - The user can not change their password. Password Never Expires - The user never has to update their password. Account Disabled - lock the account so that it cannot be used. Extended User Info & Profile Information Use the right side of the User's dialog to control account expiration and user profile and home directory settings. ACCOUNT EXPIRATION - sets the account expiration date for the account. When the date is reached, the account will automatically be disabled. USER PROFILE PATH - Set the path to this user's profile. LOGON SCRIPT NAME - Set the path and file name of a logon script to use for this user. HOME DIRECTORY - Set up the home directory of this user as either a local directory or as a path on a mapped network drive. If the home directory is not found for an added user, UMP can create a new home directory. User Manager Pro will change the security settings for the new folder to allow the new user to have full access to the new home directory folder. User Manager Pro will not remove

91 Operations 84 Administrators from the permissions list or Users from the permissions list (Admins have full control by default and Users have read only by default). VPN/Dial-in Settings Use these settings to configure the dial-in permissions for users to a system. These settings control the security authorization and authentication settings for dialing into a virtual private network. For more information on setting the VPN/Dial-In settings, please refer to the VPN/Dial-In Settings section. Exchange Mailbox Settings CREATE EXCHANGE SERVER MAILBOX - creates an exchange mailbox (see "Exchange Mailbox Creation" on page 100) for the users using default settings for rights and aliases. Add Users to Groups ADD USERS TO GROUPS - Use the Add Users to group options to add the target users to one or more groups. By clicking the ellipses next to the option, a new dialog will appear to permit specifying the names of the groups to add the user(s) to. AD Fields SET AD SPECIFIC FIELDS - sets extended Active Directory Attributes. This is not a dynamic list based on the current AD schema; these values are hard coded. For more information on setting AD Fields, please refer to the Active Directory Specific Fields (on page 97) section.

92 Operations 85 RANDOM PASSWORD GENERATOR The Random Password Generator is an add-on feature for User Manager Pro that allows generating random passwords for accounts on target systems. This feature is specifically useful for randomizing the passwords of local administrator accounts on a scheduled basis, though it may be used for any account. Using this feature means will set a unique password value for each account it touches. The payoff is that should a single password be compromised on a target system, the malicious users will not have automatically have admin access to all of the other machines because all the machines will have different random passwords for the local admin account. Even if someone breaks one of the random local administrator account passwords, that password will only work for that one machine. Steps for setting up random passwords on an account on all the selected machines: 1) Highlight Systems to Update. 2) Open up the Users dialog. 3) Set the Action to Update. 4) Enter the User Name of the account to set the password for. 5) Check the update check box to the left of the password options. 6) Click the radio option to Generate Random Password for each account. 7) Use the Change button for password complexity options. 8) Check the Save Passwords for Retrieval check box if to be able to retrieve the passwords later.

93 Operations 86 9) Click Apply to run the job now or click Schedule and use the Job Scheduler to run the password generation on a regular schedule.

94 Operations 87 RANDOM PASSWORD GENERATOR OPTIONS Shown below is the Random Password Generator Options dialog: PASSWORD LENGTH Define how many characters are in each randomly generated password. In the Windows world, strong passwords are generally 15 characters or more. To set password of 15 characters up to 127 characters, set the password compatibility to be Windows 2000/XP/2003 Compatible. PASSWORD BACKWARD COMPATIBILITY LM (W95/98) Compatible - This option generates passwords that will be compatible with Windows 95, 98, ME, and OS/2 machines. Lower case characters are not allowed and the maximum length is 14 characters. NT Compatible - This option generates passwords that will be compatible with Windows NT machines. This is a common choice for passwords. The maximum length of an NT password is 14 characters. Windows 2000/XP/2003 Compatible - This option generates passwords that can be longer than 14 characters. As passwords get longer, they get very difficult to crack using brute force attacks. The maximum length for passwords in these systems is 127 characters. Be aware that Windows NT machines will not be able to remotely access these machines if the passwords are over 14 characters in length because Windows NT only allows a maximum of a 14 character input for passwords.

95 Operations 88 The options on the right dictate what characters can make up legal passwords. permitted, the harder it is to break the password. The more characters TEST SETTINGS Try out the password settings and generate example passwords. RANDOM PASSWORD RECOVERY Randomly generated passwords can be retrieved from the UMP system directly or by using the optional web based, Password Recovery Console (PRC Website). Note: in order to retrieve previously randomized password, the option to store them must have been set when the passwords were managed. To retrieve a password from the management console, go to Manage Password Recovery. The default password for this dialog is MI4GUYC. This default password can be changed once the dialog is open. To change this password go to Edit Change Recovery Access Password.

96 Operations 89 Shown Below is the Random Password Recovery Screen: Access to the password recovery database is password controlled. The password database is encrypted and stored within the registry. The encrypted registry section is ACL restricted to administrators. From the File menu... Report Generator - Use the Report Generator (see "Report Generator / Output Settings" on page 205) to output the list of systems, account names, change dates, and passwords. To do this, just click File Report Generator. Backup Passwords to RegEdit Backup File - To do this, click File Backup RPG Database to RegEdit Backup. Restore Passwords from a RegEdit Backup File - To do this, click File Restore PRG Database from a RegEdit Backup.

97 Operations 90 From the Edit menu... View Single Entry - This will show the selected machine, account, password, and date that RPG last changed the password in a much larger format. Delete Entries - This will delete the selected entries from RPG's database. Change Recovery Access Password - This allows setting the password that is required for to recover passwords from the internal database directly from the UMP console. WARNING! Store this new password securely because if it is lost there will be no access from the stored passwords from the management console in the future. Refresh List - This will refresh the list with the most current list from the internal database of changed passwords. This may be needed if passwords are being changed constantly in the background using the deferred processor. To recovery passwords using the optional web based Password Recovery Console, first log into the website. The typical web url is Then select a management set, then select the account on the system to recover.

98 Operations 91 Then supply a specific system's name or click the Display All Systems button. Click the recover link for the account to retrieve.

99 Operations 92 RANDOM PASSWORD CHANGE AUTOMATIC REPORT GENERATION The Random Password Generator can utilize the Report Generator (see "Report Generator / Output Settings" on page 205) to generate a report on stored passwords on demand or whenever User Manager Pro performs a password change. To use this feature, make sure the option to Save Passwords for Retrieval check box in the Manage Users dialog (see "Managing Users" on page 76) to record password changes.

100 Operations 93 The automated export uses a custom version of the report generator. The options that do not pertain to an automated report have been removed from the report generator settings for a generated report. The report generator dialog for an automated password report is shown below.

101 Operations 94 USER NAME To select Names for users enter in a name manually or use the ADD button to retrieve or import lists of users. Shown below is the Edit User List dialog.

102 Operations 95 Using this dialog, it is possible to browse a system for users, import a list of users from a file, import users from Active Directory, or manually add or remove users from the list. If importing a list of users from a file, each line of the file should have one use name on it. The browse option allows retrieving a list of users from any system that can be sees on the network. To obtain a list of users from another system, specify the system and click the Refresh button. Using the User List, it is possible to make changes to lists of users at the same time. for future changes or export the list for keeping records of changes manually. These lists of users VPN\DIAL-IN SETTINGS This dialog allows configuration of dial-in settings for user accounts.

103 Operations 96 Note: this feature does not work when alt-admins are used to connect to the target system. USE REMOTE ACCESS POLICY SETTING - This option only exists on Windows 2000 and later. If this option is selected, then the dial-in settings for this user will be defined by the system-wide Remote Access Policy. If the Remote Access Policy is not defined, then it is possible to set specific account dial-in settings. If this option is selected, Allow Dial-in Access will be ignored even if it is selected. ALLOW DIAL-IN ACCESS - Defines if this account can logon using a dial-in connection. A standard Windows VPN connection uses a dial-in connection, so a user account must have dial-in access to connect to a standard Windows VPN. If this option is selected, it will be ignored if Use Remote Access Policy Settings is selected. To explicitly allow dial-in access, first de-select Use Remote Access Policy Settings then select Allow Dial-in Access. CALL BACK OPTIONS - A call back option can be specified for dial-in connections. This option allows the server to call the caller back when a user logs on. These options could be used to alleviate long-distance calls to log into a server.

104 Operations 97 ACTIVE DIRECTORY SPECIFIC FIELDS If you are setting user information on an Active Directory domain controller, you can configure the Active Directory specific user fields. The Active Directory fields will only be set for users in Active Directory. If you attempt to specify a Manager (ManagedBy), and the path that you enter does not resolve to a user in Active Directory, the Managed By field will not be set. You can use the Check Names button to check the path to the manager. If a user is not found at the path specified, you will receive an error. You can also specify a specific Organizational Unit in Active Directory to move the user to. The path must be to a valid container in AD and the Server field must be a domain controller for Active Directory.

105 Operations 98 USER FIELDS AND ACTIVE DIRECTORY User Manager Pro supports adding users multiple version of Windows (NT 4, 2000, XP, 2004 Server). In order to be backwards-compatible with Windows NT 4, fields that are specific to Active Directory are not set by User Manager Pro. User Manager Pro currently only supports setting fields in Active Directory that have equivalent fields in Windows NT 4. Below is a list of supported user fields. The first column lists fields or groups of settings from Active Directory. The second field indicates whether or not User Manager Pro supports altering the specific field or group of fields. The third column indicates whether or not the field can be set using User Manager Pro's multi-user operations. If the field can be set with multi-user operations then it will either be a dynamic (able to be set differently for each user that is part of the operation) or static (field will get the same value for all users in the operation). Active Directory Field or Group User Manager Pro Support Multi-User Support GENERAL USER SETTINGS First name Full Support Dynamic Last name Full Support Dynamic Initials Display name Full Support (Field is named Fullname) Dynamic Description Full Support Dynamic Office Full Support Dynamic Telephone number Full Support Dynamic address Full Support Dynamic Web page Full Support Dynamic ACCOUNT SETTINGS Group\User Logon Name Logon Hours

106 Operations 99 User Logon Name (pre-windows 2000) Full Support (Field is Username) Dynamic User Password Full Support Dynamic FLAGS Account is locked out Derived From Expiration Date/Time Dynamic User must change password at next logon Full Support Dynamic User cannot change password Full Support Dynamic Password never expires Full Support Dynamic Store password using reversible encryption Account Expiration Full Support Dynamic PROFILE Profile Path Full Support Dynamic Logon Script Full Support Dynamic HOME FOLDER Supports Creation and default Security Dynamic Local Path Full Support Dynamic Connect Drive Full Support Dynamic Connect Path Full Support Dynamic GROUP MEMBERSHIP Group membership list User/Administrator/Guest Group Dynamic OTHER ACTIVE DIRECTORY SETTINGS: Dial-in Settings Access/Policy Control/Callback Dynamic

107 Operations 100 Terminal Services Profile Terminal Services Environment Config COM+ Partition Settings Sessions Settings Address Information Full Support Dynamic Managed By Full Support Dynamic Exchange Mail Accounts Full Support Organization Information Full Support Dynamic EXCHANGE MAILBOX CREATION When adding or updating users, UMP can create Exchange Mailboxes for the users. This feature makes use of Active Directory and will require knowledge of the specific Exchange Server related information for the target network. Once all the fields are set correctly for the Exchange environment and the operation completes, the user's Exchange Mailbox will be created when the Exchange auto update service runs next. The Exchange mailboxes for the users are created with default settings. Because the exchange mailbox creation uses LDAP paths for one or more parts of the process, use case-sensitive strings in your paths to ensure correct operation. IMPORTANT! This feature has not been tested with and may not work with Exchange 2007 and newer. The Organization Name is the name given to the Exchange environment during the initial install of Exchange. This name at the top of the System Manager Tree (Omit the '(Exchange)' )part).

108 Operations 101 To find the name of the Administrative Groups, it may be necessary to display those items in Exchange System Manager. To do this, right-click the organization name at the top of the tree and select properties. Choose the options to Display Administrative Groups. Mailboxes created using this feature will be created using all of the default settings for aliases and other properties.

109 Operations 102 MULTI-USER OPERATIONS Multi-User Operations can add, update, or delete an arbitrary preset list of users all at once. The list of users for this batch operation can be drawn from a text file or any OLEDB compliant datasource. The Multi-User Operations can be accessed through MANAGE MULTI-USER CHANGE menu item. All the fields that are available for user operations are also available for multi-user operations except for Exchange mailbox creation which is currently not supported through multi-user operations. This feature is typically used by schools to add and remove student user accounts at the beginning and end of the quarter/semester/year. The benefit of this feature is that UMP can create thousands of users with completely unique attributes from a standardized data source.

110 Operations 103 SPECIFYING THE DATASOURCE The first step to performing a Multi-user operation is connecting to the data source that the user information will be drawn from. Connecting to a Text File (.txt,.csv, etc.) - Select the Text File radio button and input or browse for the name of the text file. Input the delimiter used in the text file and specify whether the first row of the text file contains column name information or data. Properly formatted text files can include an arbitrary number of columns, delimited by any single character. All rows in the text file must contain the same number of columns. There is no constraint as to the number of rows specified in the text file or the database table. The first row of a text file data source can contain either column header names or rows of data. If no column names are given, column names of Column 1, Column 2, etc will be used to reference each column. Following is contents from a sample text file: FirstName,LastName,Telephone,Department,Title,SSN

111 Operations 104 Daryl,McBobby, ,Information Technology,Jr Associate, Robby,O'Bob, ,Information Technology,Sr Associate, Shamus,Callohan, ,Information Technology,Jr Associate, If there is a field which does not hold a value, the value must still be present. For example, if there was an additional row is the example above where the user did not have a title their value would be included in the text file as follows: Amber,Waves, ,Sales,, Notice the double commas between the department and title. Connecting to a Database (SQL Server, MS Access, etc.) - Select the Database radio button. To connect to a data source, either browse using the Windows Datasource Browser and/or manually adjust the connection string in the view. Specify the table in the database to draw information from (the Table Name drop-down box will be populated with all tables found in the database upon successful connection). To see example connection strings, see Datasource Examples (on page 105).

112 Operations 105 The Test Connection to Data button is supplied as a quick test to make sure that the program can read information from the table. When pressed, it will popup a view of the data or an appropriate error message describing why it could not read from the data source. Currently, queries from data sources are limited to one table per operation. DATASOURCE EXAMPLES If the data for a multi-user change exists in an outside database such as a Microsoft Access database table or a Microsoft Excel Spreadsheet and it is desired to connect directly to this OLE DB compliant data source, then a proper connection string must be provided. Here are some sample connection strings for different types of data sources. Access Database file (database file is called SystemList.MDB and is located at C:\): Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\SystemList.mdb;Persist Security Info=False

113 Operations 106 Microsoft SQL Server Database (connect using integrated windows security to SQL Server database 'MachinesDB' on system 'MYMACHINE') Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=MachinesDB;Data Source=MYMACHINE ADDING MULTIPLE USERS When adding multiple users at once, use the grid control shown below to give each user property a value. The "Property" column is the description of the user field being set. The "Set Type" column determines which of the subsequent three columns UMP will use to set the property's value. There are three possible values for "Set Type":

114 Operations 107 Static Value - input the data in this display. All users created/modified will receive this exact value for this property. Query Column - reads information from the target data source. Dynamic Value - dynamically builds property values based on information from the data source and/or statically values. For more information about building dynamic values, see Mapping Dynamic User Fields to Data (on page 111). All the fields shown in the dialog above can be assigned statically or built dynamically from a data source except account expiration time. Some fields are dependent on other fields, for instance: the Account Expiration field is only active and able to be set if the Account Expires flag is checked. During any part of the multi-user operation configuration, click the Preview All Fields (see "Preview Multi-User Changes" on page 113) button to get a Preview of what the results of the operation will be.

115 Operations 108 Advanced Options: During the course of a multi-user add, if one or more account(s) already exists that were to be added, User Manager Pro can choose to either ignore that account entirely or update that account to match the settings provided. Settings that are not specified in the dialog will not be effected for existing users. Home Directory Creation: When specifying a home directory field for adding or updating users, if the local directory is not found on the target system, then that directory is created. After user creation, the user is also given administrator rights to the home directory folder. User Manager Pro does not remove the default rights from the new directory (Everyone read/execute, Admin and new user full control). If the folder already exists on the system, the permissions are reset to default (Everyone read/execute and Admin and new user full control). If both a local directory and a remote path for the Home Directory are specified, the local path will be used. If a remote path is specified, fill out both the local drive letter and the remote path for the mapped network drive.

116 Operations 109 UPDATING MULTIPLE USERS Updating multiple users allows UMP to change one or more fields in the same fashion as if you were performing a multi-user add. Select the source for the existing user names for users to update, and then check the boxes corresponding to the rows of properties to update for all users. After connecting to a data source (text file or database table), choose the user account fields to update by checking the corresponding check box. The fields are the same as for a multi-user add. As with multi-user add, specify the user name for the users to update in addition to the fields to update. If choosing to update the user name field for accounts, then supply both the existing user name fields and the updated user name fields. During any part of the multi-user operation configuration, click the Preview All Fields (see "Preview Multi-User Changes" on page 113) button to get a preview of what the results of the operation will be.

117 Operations 110 After selecting the fields to update, a sheet containing field mapping pages for each field to update will display. The User name field will always be a dynamic field and is always required for performing updates. Other update fields may be dynamic or static. For Details on how to fill out field definitions for dynamic fields, see Mapping Dynamic User Fields to Data (on page 111). Advanced Options: When editing multiple users, an option to Add accounts which do not exist may be enabled to add any missing users. The new users will be created and the fields specified for updates will be set. All other fields for the user will be created with their default values.

118 Operations 111 DELETING MULTIPLE USERS After connecting to a data source (text file or database table), specify the username field for accounts to be deleted. The Username field is a dynamic field and operates in the same way as all other dynamic fields. For Details on how to fill out field definitions for dynamic fields, see Mapping Dynamic User Fields to Data (on page 111). MAPPING DYNAMIC USER FIELDS TO DATA The purpose of dynamic fields is to take user data about a list of users that is stored in a text file or a database table and create users with those settings. The way User Manager Pro accomplishes this is by

119 Operations 112 mapping User Account fields to one or more columns of data. data in this way are called Dynamic Fields. User Account fields that are mapped to There are three options when mapping dynamic fields of User Accounts to data. 1) Specify a static text string. This means that all accounts will receive the same entry. An example use would be to set all the comments for some newly created users to 'Change your password'. 2) Draw from a column. Use information from a column in the data source to fill the field of the corresponding user account. 3) Build from Arguments. This building resulting fields from both static text and information from columns in the data source. If this option is selected, click the Change Arguments button. Use the Field Builder to build the field from user-defined pieces. The Field builder begins with one argument by default. The argument is a static string that is empty but this value may be edited. Add or remove additional arguments using the Add New Argument or Remove Selected Argument buttons. There must be at least one argument at all times.

120 Operations 113 To change the settings of an argument, highlight it in the list and then modify the options in the Selected Argument Settings section near the bottom of the dialog. Each argument can be a static string or data from a column of the data source using the drop-down box. Modify data drawn from a column by specifying Upper or Lower case as well as any substring of the column data. By default, use substring indices of 1 and 999 to specify all the data in the column. In the screen shot, the user Name property is being built from two pieces of data found in the data source: the first name and the last name. Specifically, the first letter of the first name and the entire last name. We specify to use the first letter of the first name by choosing the "From Datasource Column and selecting the column that represents the first name. Then in the Substring Settings area we choose a start value of "1" and an end value of "1", which states to use the first character of the identified data source. A new argument is then added where the "From Datasource Column points to the LastName field of the sample data source. The "Substring Settings" are set to start at "1" and end at "999". The user field will be defined by each argument put together in order from top to bottom. For each argument, there is an entry in the Argument list with the settings for that argument. The Argument Content column shows example data drawn from the first row of the data source and modified by the argument settings. Any substring settings and case adjustments for arguments are also shown. An example field is shown at the top of the dialog. This text box provides an example of what the user account field will be set to for the user first account in the multi-user operation. This example field is a real-time look at the results of the argument list and uses the first row of data from the data source to make it easy to see how the proposed changes effect the resulting field data. PREVIEW MULTI-USER CHANGES During the process of configuring a multi-user operation, proposed changes can be previewed before being implemented. For a multi-user add operation, the preview window shows all accounts that will be created and all user account fields.

121 Operations 114 For a multi-user update operation, the preview shows all users that will be updated as well as which fields will be updated and the new settings for each of those fields.

122 Operations 115 MANAGING WINDOWS GROUPS This section covers Group management (Global and Local) using User Manager Pro. LOCAL GROUPS The Local Group dialog allows to creating, updating, and deleting local groups on set of highlighted systems. There are three ways to get to the Local Groups management dialog: Click on the Local Groups button in the center panel of the Manage Systems dialog. Click on the Local Groups option on the Manage menu in the Manage System dialog. Click on the Local Groups option on the context menu (right-click menu) in the systems list. The Local Group management feature is used to create, edit membership, and delete groups on all the selected systems in the current systems list. This feature makes it quick and easy to clean up unused local groups as well as create sets of groups on local systems for the end-users. Add - allows adding local groups to the highlighted systems. If a domain controller is selected, a domain local group will be selected. Update - allows updating the specified group. Delete - allows updating the specified group. Delete all except required groups - this option is used to remove all of the groups except for those specified by the editable list box. Use this option to clean up unused or user created groups on workstations/servers/domains so that only approved groups are in each target system. THIS FEATURE CAN BE USED TO GET RID OF EXTRA GROUPS THAT COULD REPRESENT SECURITY RISKS. The list of required groups can be drawn from any machine (workstation, server, or domain controller). Before any groups are deleted from target machines, the list of required groups must already be found on each target machine. If any of the required groups are missing, all deletions on that machine will be aborted with a message in the log explaining what group(s) was/were found missing. It is possible to override this protection and delete extra groups (Delete even if some groups are missing), however this action might leave no way to access the machine being changed.

123 Operations 116 In the bottom center of the screen in the Update Options area is a hidden area called Lockout Changes to Group. Access to this portion of the tool is hidden by default as improper use of this feature may cause harm to the network. This particular feature is used to hide, both visibly and programmatically, built-in groups such as the administrators group. Using this to "hide" the built-in group does not affect authentication as a member of that group but rather stops the group from being visible via GUI applications (including User Manager Pro). UMP will be unable to report on the memberships of these groups and no user will be unable to manipulate the group memberships of this group once they are hidden. In order to allow management and visibility of the group again, it will be necessary to allow changes to the group. Using this feature will also result in an error when attempting to look at the groups folder within computer management. This is OK and does not cause any harm. To enable this feature, open regedit and navigate to "HKLM\Software\lieberman\UsrMgrPro 2.0". Add a DWORD value called "bshowgroupchangelockout" without the quotes and set its value to 1. When re-opening the local groups dialog this feature will be available. To use this feature, choose the update option from the "Action" area, specify the name of the group, then enable the check box for "Change lockout for group" and select to "Allow changes to group" or "prevent changes to group", then click Apply.

124 Operations 117 GLOBAL GROUPS The Global Group dialog allows UMP to create, update, and delete global groups on set of highlighted systems. Global groups can only be managed on domain controllers. There are three ways to open this dialog: Click on the Global Groups button in the center panel of the Manage Systems dialog. Click on the Global Groups option on the "Manage" menu in the Manage System dialog. Click on the Global Groups option on the context menu (right-click menu) in the systems list. Using the Global Group management feature, UMP can create, edit membership, and delete groups on all the selected systems in the current systems list. This feature makes it quick and easy to clean up unused local groups as well as create groups on local systems for your users. Add - allows adding global groups to the highlighted systems. Global groups can only be created on domain controllers. Update - allows updating the specified group. Delete - allows deleting the specified group. Delete all except required groups - this option is used to remove all of the groups except for those specified by the editable list box. Use this option to clean up unused or user created groups on workstations/servers/domains so that only approved groups are in each target system. THIS FEATURE CAN BE USED TO GET RID OF EXTRA GROUPS THAT COULD REPRESENT SECURITY RISKS.

125 Operations 118 The list of required groups can be drawn from any machine (workstation, server, or domain controller). Before any groups are deleted from the domain, the list of required groups must already be found on each target machine. If any of the required groups are missing, all deletions on that machine will be aborted with a message in the log explaining what group(s) was/were found missing. It is possible to override this protection and delete extra groups (Delete even if some groups are missing), however this action might leave no way to access the machine being changed.

126 Operations 119 MANAGING WINDOWS GROUP MEMBERS This section discusses how to use User Manager Pro to manage [domain] local and global group memberships on target systems. LOCAL MEMBERS Local Members allow UMP to assign local/domain users and global groups to local system groups. There are three ways to access the Local Members dialog:

127 Operations 120 Click Local Members from the center panel in the Manage Systems dialog. Click Local Members from the "Manage" menu in the Manage Systems dialog. Click Local Members from the context menu (right-click menu) in the systems list. Shown below is the Local Members dialog. The name of the local group is shown in the Local Group Name field. This is the group being modified. Type in the name of the group or browse for the group by browsing the system or domain for the group name. Click the ellipses (...) to the right of the group name field to browse for the group name. Using the buttons to the right of the Member List box, we can add local users, domain users, and domain groups directly to the local group. We can also import a list of users and/or groups from a pre-defined text file. A properly formatted text file contains one system or group name per line. Entries in the member list can also be deleted.

128 Operations 121 Actions: These radio buttons determine how the specified member list interacts with the local group denoted at the top of the dialog. Add List - Entries in the Member List are added to the local group. Delete List - Entries in the Member List are removed from the local group. Replace Existing List - The contents of the local group is replaced by the contents of the Member List. Move all members except those in 'Member list' to 'Alternate Local Group' - moves all members except those specified to another local group. The 'Move all members except' radio button means that the users and groups specified in the members list will remain in the current local group and any other members in the local group will be moved to a new alternate local group. The Alternate Local Group Name sections allows specifying this new alternate group. The 'Move all members except' feature is commonly used to move excess members of the local administrators group to a less privileged group. INCLUDE CONTENTS OF MAPPING FILE IN MEMBER LIST - use the Include contents of mapping file in member list option to make changes to the local group memberships on all selected systems using a text file of mapped group memberships. This operation works in unison with the displayed membership list, so if the member is found in either the displayed list or the mapping file, then it is included in the operation. The reason to use a mapping file is to set and preserve machine-specific local group memberships such as when adding the domain account for a system's owner to the local administrators group on their own system. When processing the operation, only the system which matches the system name in the first column of the mapping file will use the account name(s) associated with that system. For example: it is required that the local administrator, the domain admins group, and the owner of the machine are placed into the local administrators group. Rather than performing multiple operations for each computer, simply perform one operation to correctly affect group memberships on all systems. Mapping File Format The mapping file is a simple text file. The format of the file should be one system name on each line, followed by one or more account names. Examples of valid lines in the mapping file: SystemName, LocalAccountName SystemName, LocalAccountName, LocalAccountName SystemName, Domain\DomainAccountName, LocalAccountName SystemName, Domain\DomainAccountName, Domain\DomainAccountName SystemName, "Domain\Domain Account Name", "LocalAccountName"

129 Operations 122 "SystemName", Domain\DomainAccountName, "Local Account Name" Format rules: Use the following characters as delimiters: commas, spaces, semi-colons, or tabs. Any element may be enclosed in double quotes (system name or account name). If the system name or account name has a space in it, it must be enclosed the entire element in quotes. GLOBAL MEMBERS Global Members allow UMP to assign domain users to domain system groups. There are three ways to access the Local Members dialog:

130 Operations 123 Click Global Members from the center panel in the Manage Systems dialog. Click Global Members from the "Manage" menu in the Manage Systems dialog. Click Global Members from the context menu (right-click menu) in the systems list. Shown below is the Global Members dialog. Actions: These radio buttons determines what UMP will do the specified member list. Add List - Entries in the Member List are added to the global group. Delete List - Entries in the Member List are removed from the global group. Replace Existing List - The contents of the global group is replaced by the contents of the Member List. When adding a global group and a global group name is specified in the Global Group Name field that does not exist, the group may be created by checking the Add Global Group if missing check box and performing an add action.

131 Operations 124 Using the Global Groups Membership feature users may be added to Global groups from the list of domain users or from a list of users in a text file. Properly formatted text files of user lists contain one user per line. If attempting to manage Global group memberships on a system that is not a domain controller, errors indicating such will be logged.

132 Operations 125 MANAGING RIGHTS This section describes how to mass manage rights for users and groups. The rights dialog applies a set of checked rights against a list of named accounts (users and groups). The changes to the accounts listed include adding, deleting or replacing the rights list on the named users/groups. Shown below is the Manage Rights dialog. Use this dialog to assign or remove rights from local or domain users, local or domain groups, or built-in groups. When finished manipulating the rights associated with groups and users, click the Apply button to make the changes. RIGHTS FIELDS The rights that can be assigned or revoked are listed at the top of the dialog. Only rights that have been checked will be modified, all other rights are ignored. The type of change (add/delete/replace) is set by the Action section radio buttons (on the lower left). Which users and/or groups are modified is determined by the User/Group List box to the right of the Action section. Below are descriptions of fields and panels in the Manage Rights dialog.

133 Operations 126 AVAILABLE RIGHTS - This is a list of all rights that can be granted/revoked to users or groups. Select the rights to grant or remove by highlighting the rights and clicking either the Yes or No button in the Check Highlighted Rights panel. It is possible to set/reset check boxes by double-clicking on highlighted entries. The columns in the Available Rights lists show the name of the right, the internal name, and whether or not the right is applicable to Windows 2000 and later operating systems. HIGHLIGHT ENTRIES - Highlight entries allows saving a selection of rights to use again later. Highlighting does not change the checked state of any specific right, but allows quickly selecting sets of right in order to make changes to the selected state of all those rights at once. Creating, changing, and deleting highlight entries works the same way as Highlight Lists (on page 68). HIGHLIGHT - These options aide the UMP admin in highlighting tasks. Selecting this way is additive, meaning that rights that are selected are always in addition to what was already selected. All - Select all Rights. None - De-select everything. [X] - Select those rights which have been checked. [ ] - Select those rights which have not been checked. SHOW [W2K ONLY] EXPLICIT DENY RIGHTS - Windows 2000 has additional rights to grant and take away. Some of these rights might deny access to necessary operations on a regular system. Be careful about granting or denying these rights. IGNORE W2K RIGHTS ERRORS ON NT SYSTEMS - The Rights list includes both normal NT rights and new rights found only on Windows 2000 systems. If it is attempted to write both W2K and NT (base rights) to an NT system, error will be generated regarding the unavailability of W2K rights on the NT systems. If this option is enabled, attempts to modify W2K rights on NT systems will not cause errors.

134 Operations 127 MANAGING POLICIES This section describes how to set up and modify password policies on target systems. Using this dialog to set password policies on all the selected machines. Click the Apply button to make the changes. POLICIES FIELDS To update the existing password policies, check the update check box to the left of the fields to enable them. Below are descriptions of fields and panels in the Policies dialog. PASSWORD RESTRICTIONS

135 Operations 128 Maximum Password Age - Set the maximum time a password can remain unchanged. Minimum Password Length - Set the minimum number of characters for user passwords. When Valid Logon Time Passes - Set whether or not to log users off when their logon time expires. Minimum Password Age - Set the minimum time before a password can be changed. Password Uniqueness - Set how many passwords to remember so that old passwords cannot be reused. LOCKOUT STRATEGY No Account Lockout - Never lock out accounts. Account Lockout - Set up options to lock out accounts. Specify how many bad logon attempts users can attempt before being locked out, how often the attempt count is reset, and the duration that the user account is locked out for.

136 Operations 129 MANAGING AUDITING The auditing option allows changing the auditing settings on all selected machines. Shown below is the Auditing dialog. Use this dialog to enable or disable auditing. If auditing is enabled, select the auditing of success and/or failure of:

137 Operations 130 Logon and Logoff File and Object Access Use of User Rights User and Group Management Security Policy Changes Restart, Shutdown, and System Process Tracking Directory Service Access Privileged Account Logon The auditing events generated by turning on this auditing will be stored in the local systems security event logs. This information can be viewed by examining the target system's event logs locally or by using Event Log Entries (see "Event Log Entries Report" on page 155) reporting within User Manager Pro. This dialog can also set the control for what happens when the security event log is full on the target systems. In a default Windows configuration, when the security event log is full, only an administrator can logon until the issue is resolved. Choose to: Allow any account to logon Allow only administrator accounts to logon (default) Crash - BSOD The above options are defined and limited by Windows, not User Manager Pro.

138 Operations 131 MANAGING THE REGISTRY This section describes how to edit the registry as well as manage registry permissions. dialogs that allow managing aspects of the registry: There are two The first dialog is the Reg Edit dialog, to make changes to registry keys/values for selected machines. The second dialog is the Registry Permissions dialog that can set permission on registry keys. REGISTRY EDIT Use the Registry Edit dialog to add, delete, or ignore the state of keys and values. Creation of a key and its data value may occur simultaneously.

139 Operations 132 Shown below is the Reg Edit dialog. There are multiple uses for this dialog. Following are the available operations: REGEDIT FILE - Allows a file created by regedit.exe to be processed and all changes contained within that file will be made to all selected systems. Regedit4 and Regedit5 formats are supported. SINGLE KEY/VALUE - Use this option to add, update, or delete keys from target systems. First, specify a root key in the Key field. This root key is one of the base keys for the Windows registry such as HKEY_Local_Machine or HKLM. Specify a path in the Subkey field to the actual key to modify. Next

140 Operations 133 choose whether to add, update, delete, or no change to key. The Subkey field also is implemented as a most recently used list, which will remember previous entries for convenience sake in making changes to multiple groups of systems. Note: The No Change to Key option allows performing updates on values when some systems have the specified key at the specified path and some systems do not. Because no keys will be changed or created, if the key is found, then the value will be updated, but if no key is found, the logger will log an error, nothing will be changed on that system, and the program will move to the next system. VALUE TYPE - Sets the variable type for the variable named in the Value Name entry field. The value types that are built-in are: REG_SZ String REG_DWORD 32-bit Value REG_EXPAND_SZ String where special variables are automatically expanded on use (i.e. %USERNAME%). REG_MULTI_SZ Multiple zero delimited strings The Edit Value field will change to reflect the type of information for the value. Once the type of value stored in the key is selected, supply the name of the value that to add/change and the new value itself. The Value Name field also is implemented as a most recently used list, which will remember previous entries for convenience sake in making changes to multiple groups of systems. Note: The No Change to Value option allows performing updates on only keys. TREAT HKEY_CURRENT_USER AS ALL USERS WHEN PUSHING CHANGES TO SYSTEMS - When performing remote registry operations, HKEY_CURRENT_USER is not guaranteed to exist when users are not logged in because the key represents the current user's user key. Changes that effect the HKEY_CURRENT_USER tree need to be handled differently on remote systems. While it is not possible to access the HKEY_CURRENT_USER key on a remote system, it is possible to access the USERS key. This option allows making those changes to all users so that the next time that someone logs onto the remote machine, the instance of HKEY_CURRENT_USER will be changed to reflect their changed user key. REBOOT SYSTEMS AFTER CHANGES ARE APPLIED - This feature allows remotely rebooting the affected systems after the registry changes have been completed. This may or may not be desired depending on the changes. For removing harmful registry keys that may have affected the current session, this option may be desired so that the computer can restart with a 'clean' boot.

141 Operations 134 REGISTRY PERMISSIONS The registry permission option allows setting permissions on registry keys throughout the enterprise with just a few clicks. Shown below is the Registry Permissions dialog. How to use this feature: Using this feature will cause permissions on the identified registry key to be replaced with the entries defined here: permissions will not appended or modified. ROOT KEY - This is one of the built-in Windows root keys. may differ depending on what needs to change. Generally this is HKEY_LOCAL_MACHINE, but STARTING SUBKEY - The actual path below the hive where the target key is located. This path is not case sensitive.

142 Operations 135 For example, the registry path for this program is: HKEY_LOCAL_MACHINE\SOFTWARE\Lieberman\UsrMgrPro 2.0 The Root Key should be set to: HKEY_LOCAL_MACHINE, and the Starting subkey should be set to: SOFTWARE\Lieberman\UsrMgrPro 2.0. Do not place a leading backslash on the Starting subkey field. APPLY ACLS TO ALL SUBKEYS BELOW STARTING SUBKEY - Enabling this check box will cause all keys below the Starting subkey to be set to the permissions entered in this dialog and will not apply to the identified key. This option should usually be deselected. Tip: Since it is not possible to set permissions on keys that do not exist, use the Reg Edit option to create keys manually or via the use of REGEDIT4 or REGEDIT5 files before editing registry permissions. Tip: All registry hives are supported, however if it is required to change HKEY_CURRENT_USER and it is unknown if the correct user is logged on, it is best to implement user registry area changes via policy files (.pol files) or group policy. With these methods, the user s registry area can be modified at the time of user logon. Policy files can be created via the policy editor built into Windows NT or 2000.

143 Operations 136 ACCESS CONTROL LIST - This is the list of user users and groups that are specified for the changes in registry permissions. For each key specified, set up account permissions for each user or group in the access control list. Shown below is the Account Permissions dialog. To use this dialog, specify the fields used for account permissions and click OK to add the account to the access control list. ACCOUNT - Specify a local or domain user or group. being managed for the current registry key. This will be the user or group whose permissions are ACL TYPE - Specify whether to grant or deny the selected permissions. PERMISSIONS - Permissions define what operations the user or group can perform on the registry key. The Standard Permissions are presets that are commonly used to specify sets of rights. INHERITANCE ENABLED - Enabling this option allows keys below the starting sub-key on the previous dialog to inherit the permissions being set here. This option should usually be selected.

144 Operations 137 MANAGING EVENT LOG SETTINGS The Event Log Settings dialog allows managing the settings for multiple types of event logs on all target systems. This dialog can be accessed by navigating to MANAGE EVENT LOG SETTINGS. The Event Log Settings dialog is shown below. Select the log to modify from the drop down box or if the log is not listed in the drop down list, browse for the log using the '...' button. To modify an event log that is not listed in the drop own list, specify target a machine that has the event log of the desired type. After selecting the event log type, use the check boxes to enable each type of change. It is possible to set the maximum size of logs, change the overwrite settings for log entries, and/or manually clear the logs on remote machines.

145 Operations 138 MANAGING FILES, APPLICATIONS, AND UPDATES This section shows how User Manager Pro can be used to remediate zero day threats as well as push patches and other applications. PUSH/RUN APPLICATION The Push/Run feature allows the UMP administrator to copy and run an application on highlighted systems. This feature can be used to install programs and service packs remotely among other things. An application can consist of one or multiple files. The first setup page is shown below. Enter the Destination path of the application in the top field. Note: Use caution when entering a network path in the Application to run field, or the task may fail. This is because User Manager Pro creates an AT task to run the specified file that is set to run to the nearest minute. The AT account is the Local System account and thus only has access to the local system. If the AT account has been modified to run as a privileged domain account, then this will not be a problem. The command line parameters box allows entering an arbitrary number of additional command line arguments for running applications with customized settings. The task must be able to run quietly and

146 Operations 139 passively, that is to say without any form of user interaction whatsoever. While the options to perform these tasks are specific to the application or patch being run. More information about command line arguments can be found here: If the file should simply be copied to the remote system without running anything, then leave the box marked Run an application on the remote system unchecked. The second part of this dialog is the copy file page shown below.

147 Operations 140 Using this interface, enter any files to copy from the current system to all selected remote systems prior to running the remote application. The application that to run can be one of the files included in this list or can depend on one or more of these files. To add a new file to the list, click the Add button to bring up the following window. Path of File on Local Machine - this is the local path relative to the UMP host system to where the files being copied can be found. Use a local path, UNC path or network drive as the source. Path of File on Remote Machine(s) - this is the network location the files are being copied to. This will always be a network location. Use the %system% variable to represent the target system's name when this operation will affect multiple systems. If copying a single file, specify the name of the file in the destination path. If copying a file called "q enu.msp" to a folder called "updates" at the root of the C drive on the target system, the UNC path would then be \\%system%\c$\updates\q enu.msp. Copying Multiple Files and Directories: While it is possible to add as many entries for individual files as needed, the file copy process supports the use of wild card characters such as * and?. To use wild cards, the syntax is slightly different than when specifying a single file. While the source can be specified as would be expected, "path\*.*" or "path\*.exe", when inputting the destination path, do not not provide any file name as would normally be done for a single file copy. For example, to copy every file from the updates folder at the root of drive C to the updates folder at the root of the C drive of the target systems, the source and destination paths would be input as follows:

148 Operations 141 Source: c:\updates\*.* Destination: \\%system%\c$\updates\ When specifying a wild card file copy by using the * or? characters in the source path, the option to Include subdirectories for wild card operation will become available. Enabling this option will also copy every subdirectory in the specified source directory to the target machine as well as every file. When done specifying the file list and application path, click OK to begin the copy and run. Notes and Limitations about Push and Run: This method utilizes the AT service account on the remote machine as the account the application will run under. This means that the Scheduler Service must be installed and running on the remote system. All versions of Windows 2000 and later contain the Scheduler Service. Windows NT 4 must be SP 4 or later. If the AT service account on the remote machine does not have sufficient privileges to run the application on that target machine, the application may fail to run or exit with an error. Some applications require command line arguments or switches in order to run successfully. Other applications require command line arguments to run in an unattended, quiet, or non-interactive modes. The AT service account runs in a non-interactive logon session, so if the application requires an interactive session, the application will not run successfully. If the application can run in a non-interactive mode, make sure to supply the correct command line switches in order to run the application in a non-interactive mode. These command line switches are application specific and should be found with the application documentation. In the event of an error running a task on a remote machine, the error code information that is returned and logged is the exit error code of the application on the remote system. The exit error code is application specific and the documentation for application exit codes should be found with the application documentation. Push and Run in User Manager Pro is not a fully featured application distribution tool. It is intended rather to be an easy mechanism to push out and run simple programs like batch files or scripts. It can be used to push patches and applications, but user feedback and failure logging is minimal. For a more fully-featured patch distribution solution, see Task Scheduler Pro (

149 Operations 142 FILE OPERATIONS File Lockout - This can be used to lockout files that can be damaging or potentially dangerous to your system such as viruses. FILE LOCKOUT File Lockout, also known as Cratering, is a powerful feature that can be used to prevent access to files on target systems; this is useful for zero-day virus attacks. This feature can be used to lockout files that may be associated with malicious files or viral files. File Lockout works by replacing the file's ACL with a single entry that is set to Everyone, Deny-Full Control. Locking out files prevents them from being read, written to, deleted, renamed, copied, or moved. If the file does not exist on the target system, a dummy file is created and then locked out to prevent the appearance of the file in the future. This last feature stops a virus from dumping its payload on a protected machine.

150 Operations 143 WARNING! File lockout can potentially prevent the access of legitimate files by programs that are running on machines. Be careful to avoid locking out files that are necessary for the machines to continue normal operation. If a critical file locked out, it will be necessary to to take ownership of the file and reset the proper permissions. To specify a list of files to lockout on machines, use the import list command. Browse for a text list of file paths to lockout on all selected systems. A properly formatted text list will contain one file path on each line. It is also possible to add one item at a time by clicking the Add button. The destination path is a network path to the target system. Use a variable to represent the target system's name such as %system%. To lockout a file called "evilvirus.exe" in the system's Windows install directory, the UNC path would then be \\%system%\admin$\evilvirus.exe. This list can be exported to a text file by clicking the Export List button. For more information about File Lockout, see our Cratering White Paper.

151 Operations 144 MISCELLANEOUS OPERATIONS This section contains additional operations that can be performed. Send Message - Use Net Send to send a message to machines in your group. Reboot and Abort Reboot - Remotely reboot or abort a reboot. Send Wake on LAN Packet - Send a Wake on LAN packet to a suspended system. SEND MESSAGE The product allows sending messages using the Windows Messenger service. Shown below is the Send Message to Systems dialog: The Send Message settings are limited to those which are valid for the Windows Messenger service; see the Windows documentation for details. If options are specified which are invalid, the Send Message operation will fail with the error code received from the operating system. If the Messenger service is stopped on the remote system, messages cannot be sent to the remote system. The Messenger Service can be started on target systems and then optionally shut it down again after the message is sent. Note: Using the current scheduler, Domain sends cannot be scheduled.

152 Operations 145 SEND WAKE ON LAN PACKET This sends a message to the selected machine to wake itself up from sleep mode. Wake on LAN requires that all of the following conditions be met: Wake on LAN be supported by the remote system and be enabled on the remote system. Product has the MAC address of the remote system. Interim routers, switches and firewalls must support and allow the passing of UDP traffic over port 7. REBOOT AND ABORT REBOOT This product gives provides the ability to remotely reboot systems. Shown below is the Reboot Systems dialog: Set the Time to display message before forced reboot, as well the Message to send to system field. When everything is set, click on the Apply to start the shutdown process. Use the Schedule button to schedule periodic rebooting without any further actions. The systems that are to be rebooted are listed on the right. systems in the Manage Systems dialog. This list corresponds to all the selected The options allow forcing all applications to close in order to ensure that the reboot takes place. Systems may also be shutdown down without restarting. The Message that specified in the Message to

153 Operations 146 send to field will be sent to the machines as soon as the reboot is scheduled. This message will give any users on the machine a chance to finish what they are doing before the reboot. Once a reboot command is issued, the way to stop the reboot from occurring os to right-click on the system and choose Abort Reboot or from the affected system, open a run menu or command prompt and type: shutdown /a

154 Operations 147 REPORTING TYPES User Manager Pro supports the ability to report on almost any aspect of a Windows system. The categories of information which can be retrieved are in the Reporting (or Get Info) dialog, are shown below. The desired information will be retrieved from all systems in the management set if no systems are selected when this dialog is opened. For some report types, there are no configurable options to customize the report. For other report types, there are options that can be accessed using the Advanced button for that report type. If the advanced options are not configured, the report will use the default report settings for that report type.

155 Operations 148 Each type of report is explained in the following sections. Some report types have context (right-click) menus (once the report is run) that can be used to perform operations directly on the results of the report. These operations are usually limited in scope and are meant to provide a quick solution to some common scenarios for the specific report results. Logging for operations run on report results will not be displayed on screen and the operations are not multi-threaded. To use the reports, it is required to use SQL Server or SQL Express to store report data. For information on configuring User Manager Pro to use SQL Server to store report data, see Database Options.

156 Operations 149 Options: The reporting dialog can be set to automatically re-open after the report has been completed. This is useful when performing multiple reports consecutively and do not want to worry about system selection in the main window. If UMP is connected to a SQL server database for storage then choose to save report data in the database. These reports can be retrieved and viewed later through the tool. The report storage settings dictate the maximum number of reports that User Manager Pro will store in the database as well as the number of reports that will be stored for each reoccurring job.

157 Operations 150 ACCOUNTS This area of reporting allows reporting on Users, Computer Accounts, and Logged On Accounts. USER ACCOUNT REPORT This report shows the users on the highlighted systems. Whether the users are local users or domain users will depend on if the machine being reported on is a domain controller or not. Using the "Advanced Users Report", UMP can customize the information to retrieve about the users. Retrieving

158 Operations 151 the dial-in settings for a user requires that the remote machine be in a domain that is trusted by the local domain. Retrieval of Active Directory Fields only applies to users in a domain running Active Directory. Active Directory fields will be blank for accounts which are not part of a domain running Active Directory. This report along with the group membership report can produce a comprehensive list of all accounts that can be used to gain access to all selected systems in the management set. This report could be a vital piece in making regular security audits into a plausible reality. The options on this dialog affect how the flags for these accounts are displayed. The flags can either be hidden, shown all on one column, or shown with one flag per column (to make sorting on account flags easy). Context menu operations available from the reporting results for user reports:

159 Operations 152 Delete user(s) Enable user(s) Disable user(s) Rename user(s) Change type of user to Admin/User/Guest COMPUTER ACCOUNTS REPORT This report shows all the computer trust accounts that exists for the highlighted machines. Computer trust accounts exist on domain controllers; there is one trust account for each machine that has joined the domain. Domain controllers can have old computer accounts on them that are still valid accounts. These old computer accounts should be removed periodically for security integrity. Computer Accounts are just like user accounts in that they have passwords and must be authenticated to gain network access. The managing of this password is automatically handled by the computer and the domain. In an Active Directory domain with default security settings, computer account passwords are changed [automatically] every 30 days. When a machine has been removed from its domain, the computer accounts are not automatically removed. This means that you will have valid unmanaged domain accounts which can be used to gain access to your network. This report will show you all of the computer accounts in your domain as well as their password ages. a computer account has a password that is 90 days or older, it is usually safe to delete the computer account and clean up your domain. It is always best to validate the computer no longer exists or is no longer a part of your domain prior to deleting its account. If Context menu operations available from the reporting results for trust account reports: Delete Computer(s)

160 Operations 153 LOGGED ON ACCOUNTS REPORT This report will show all users which are currently logged on to the system. Users are logged on when they have an active login session, which can be interactive or otherwise (accessing system resources over the network, for example). This report can also include machine accounts and system accounts. Machine accounts will end in $. Include system accounts will include login sessions for system accounts (such as LocalSystem). Include machine accounts will include login sessions for other systems (such as machines which have active connections to the machine). Note that this reports on all accounts that are currently logged into the selected systems, which is different from the account that is interactively logged into the system. This feature does not distinguish between which type of logon session each logged on account has.

161 Operations 154 EVENT LOGS This Event Logs report will show event log settings and entries. EVENT LOG SETTINGS REPORT Use this report to see the Windows Event Log Settings for all highlighted systems. A report on settings will show:

162 Operations 155 The file name and location of the log file The maximum size Any access restriction settings The retention span of the file The date and time of creation The last modified date and time The last accessed date and time. EVENT LOG ENTRIES REPORT This report will allow retrieval of the Windows Event Log entries for all highlighted systems. The event logs that are available by default are: Application, System, Security, DNS Service, Directory Service, File Replication Service. It is possible to report on other types of event logs, but it will be necessary to browse for a system on which that log is located. Because event logs can be very large, UMP provides an option to filter the results to save time and make the results easier to view. Note: Because the result sets for these reports can be very large, it is required to use a SQL Server or SQL Express database to store the reporting data to use this type of report. Filter results by:

163 Operations 156 Event Type Event Source - the list gathered from the local system is available in the drop list or input a source manually. Category Event ID User Computer Time span - specify a start and end date that of interest and the events within that range will be retrieved. This restriction is in addition to the last N days restriction. A report on events will show:

164 Operations 157 The time the event was generated The Event ID The Type of event The Category Code of event The source of the event The user account under which the generating source was running

165 Operations 158 FILES This Files reports allow reporting on and manage network shares and permissions, files, and NTFS permissions. NTFS permission reporting is an optional component for User Manager Pro. If the option is not enabled, the NTFS reporting option will not be shown.

166 Operations 159 NETWORK SHARES REPORT This section will enumerate the shared resources and the share permissions on those resources for all highlighted systems. Network Shares are shared folders on systems. The permissions listed for this report are the network share permissions, not the file permissions for the corresponding folder. The report can be customized by specifying which types of shares to retrieve. The types of shares that are can be enumerated are: File Shares Print Queues Communication Devices Inter-Process Communication Shares Special Shares (IPC$, C$, etc.) The display can be further customized by choosing how the permissions for each share are shown. This report can also check and see if the directory still exists on the target machine for the share by selecting the option Check if shared directory exists on sharing system. Special shares are usually hidden shares created or used by the operating system in the normal course of operation. These shares probably should not be deleted or modified as doing such could cause unexpected behavior in other administrative modules, including this module. The share permissions (Security Descriptor bits) for each share can also be shown. When the permission are shown with the shares, they can be displayed as the Microsoft standard Security

167 Operations 160 Descriptor String for the share, or decoded into each specific right along with the grant or deny designation on a right-by-right basis. The Security Descriptor column shows the Security Descriptor string for this share in the standard Microsoft security descriptor string format. This string stores the security descriptor control bits, which dictate user and group rights for this share. More information about the Security Descriptor String Format. The fields that are shown for the Network Share report are: System Share Name Share Type Special Share Type (TRUE/FALSE) Visibility Flag Comment Max Connections Current Connections Local Path Security Descriptor (String or flags) Context menu operations available from the reporting results: Delete network shares Edit Permissions for Shares Security permissions can be edited from the report by right-clicking on a share in the report. features uses the same interface that the windows shell uses to modify file permissions. This FILES REPORT Due to the number of additional configuration options for this report, this type of report has another full dialog for configuration options. Note: Because the result sets for these reports can be very large, it is required to use a SQL Server or SQL Express database to store the reporting data to use this type of report.

168 Operations 161 The Files report can be configured to report on either all files in a directory (with or without subdirectories) or report on a specific list of files. Report on Files in a directory When reporting on files in a directory, the number of files returned per system can be capped at a specific number or filtered. The directory path to report on can be fixed, or it can contain wild card

169 Operations 162 replacement strings (to handle cases like the windows directory being named differently on different version of the OS). Directory replacement strings: %system% - Replaced with the name of the remote system. %windir% - Replaced with the path to the windows directory on the remote system. Admin$ - Specifies the Admin$ share point on the remote system. C$ - Specifies the C:\ local path on the remote system. If using a filter when reporting on files in a directory, files which match the filter will be listed in the report. File filters also supports wild card replacement. Filter replacement characters:? - Single character wild card, single character must be found (e.g. filename.mp?). * - Multi character wild card, single character does not have to be found (e.g. *.mp3) This field also supports multi-string values. Each file name must be separated by a semi-colon ";" Report on an Explicit List of Files Below is the file list editor. Use this dialog to specify an arbitrary list of file names and paths to report on all selected systems. It is also possible to import and export lists of files to report on. A properly formatted list of files contains one full path per line. The wild card replacement %windir% can be used to specify the Windows directory on all systems. This dialog also remembers file list for the previous search. Other wild cards (such as %system% and C$) are not currently supported. Example of %windir% replacement: File path with wild card Replacement on Windows XP Replacement for Windows 2000 C:\Windows\System32\file.exe C:\WinNT\System32\file.exe %windir%\system32\file.exe

170 Operations 163 This report type always reports this file information: Directory Location Filename File Type This report type also allows reporting on information including: File System Information Flags File Times File Size (in KB and Bytes) Creation Time Last Access Time Last Write Time Resource Information File Version Product Resource Version

171 Operations 164 Resource Flags File Type Creation Timestamp Resource String Information Comments Company Name File Description File Version Internal Name Legal Copyright Legal Trademarks Original Filename Private Build Product Name Product Version Special Build OLE Self Registration Context menu operations available from the reporting results: Delete file Crater (see "File Lockout" on page 142) file

172 Operations 165 FILE PERMISSION (NTFS) REPORT This report will show the rights and permission on files and directories for all selected systems. You can configure this report to show the rights for a specific directory, an entire directory tree (including subdirectories), or a directory tree ignoring specific subdirectories. Note: Because the result sets for these reports can be very large, we require that you use a SQL Server database to store the reporting data to use this type of report. File permission reporting is used to report on the NTFS file permission settings for files on multiple workstations in an organization, and aggregate the data into a single report. It is primarily used for auditing permission settings for specific files/directories, but can also be used for specific real-time checks and remediation of issues. There are several potential use-cases for file permission reporting. Some of the more common use cases are detailed blow, along with the suggested application settings to support the use-cases. For details on the report settings/output, refer to the section detailing the specific report type. Or course, this list is not exhaustive, but rather a small sampling of the potential uses for this feature in organizations. Standard Permission Inheritance Conformance Many organizations have standard permissions on top-level directories, and expect all file/subdirectories to inherit the standard permissions (and not define custom permissions for objects inside them). Object with custom permissions can circumvent the intent of such a policy by allowing access to account/group entities not designated to have access at the top-level directory. Using file permission reporting, an administrator can easily verify conformance to such a policy, and remediate any derivations. The easiest way to accomplish the basic version of this operation is to use the simple report type. Since the simple report type only shows items which diverge from standard inheritance, any deviations from the policy will be readily apparent in the report output. Remediation can be accomplished by highlighting any divergent files/directories, using the content menu to edit security for these items, and resetting them to auto-inherit security settings from parent objects. Auditing Permissions on File Shares Many organizations have file servers which host file shares for documents which are shared between multiple users. Often there are specific shares/subdirectories for specific organizations or groups of users, and permissions are set explicitly on those directories to allow access only to those groups of users. In addition to ensuring that the permissions on the top-level directory remain consistent with the intended security for the share, administrators may need to ensure that all files under these shares have the correct access permissions as well. This goal can be accomplished using several features of the application, but primarily with file permission reporting. If the actual directories on the file server(s) corresponding to the file shares are unknown, the user can use the Network Shares reporting feature to discover the local directories on the file servers

173 Operations 166 which correspond to the exposed network shares. This feature can also show the permissions on the share itself, which limit access to the files under the share (when accessed through the share). One the actual local directory is known, the administrator can use file permission reporting to enumerate the NTFS permissions on the actual directory and contained files/subdirectories. The custom report type is generally most applicable here, since the administrator will likely want to examine the actual permissions assigned to the top-level directory. If all contained objects are inheriting permissions only, the report output will be relatively small. If there are sub-objects with custom permissions, they will be readily apparent in the resulting report. As in the previous example, the administrator can remediate any problems directly from the report results by selecting the objects to modify, and using the content menu to edit the file permissions for the selected objects. Periodic Auditing for Compliance Reports Because the application has scheduled execution capabilities and stores the reporting results for later usage (and can have output at generation time if desired), file permission reports can be scheduled to run on regular, periodic intervals. Using the output from these periodic reports, an organization can verity continued compliance with security policies for file security.

174 Operations 167 NTFS REPORTING DIALOG The main NTFS File Permissions dialog is shown here: The top section of the dialog allows the user to configure which directories will be included in the report, and which subdirectories to exclude from the report. The bottom section defines the specific type of report which will be generated, including which fields to include. The specific options for each control are explained below. Directories to Enumerate The directories to enumerate for the report are specified here in a list. The directories should be specified in local directory form relative to the target system (eg: C:\test). Wild cards are not allowed in this list. Environmental variables can be specified which will be evaluated in each target system. Examples of directories:

175 Operations 168 C:\FileShare %SystemRoot%\System32 Any number of directories can be specified to search in the list, and they will be searched in the order presented. All files in the directories will be included in the permissions report. Note: Currently it is not possible to specify network share paths in UNC form (ie: \\server\share) to include in the report. This is because the permission report is run on the remote system in the context of LocalSystem, which does not have access to any off-system network resources (by design). In most of these cases, the desired report can be accomplished by running the permission report on the actual system which contains the network file share instead. Directories to Ignore This area allows designating which subdirectories of the search paths to ignore while doing the permissions enumeration. This is used primarily to exclude directories with large numbers of uninteresting files from the permissions report. For example, if enumerating the files in the Windows directory, but the hotfix uninstall directories (which are named $NtUninstall*$) should be excluded, then set one of the directories to ignore to *\$NtUninstall*$, which would exclude files in these directories from being included in the file permissions report. Note: At this time, the NTFS permissions for the excluded directories themselves will still be included in the report, but the files in the directories will be excluded. Simple Report This report type shows all the files and directories, with one line per file/directory. Each line contains the flags set in the security descriptor of the file system object, its owner, and the number of entries in the DACL for the NTFS object. Each line also contains entries for differences between the object and its parent object, which is indicative of explicit permissions set of the individual object. The individual columns are detailed on the section for this report type. This report is primarily useful for ascertaining if there are explicit permissions defined for file objects in a directory structure, without specifically auditing what the permissions are. For example, if the user had a policy that all files under a specific directory had the standard permissions defined at the directory level, this report can be used to quickly very compliance with the policy, and identify/correct any divergences. Simple Reports with DACL Entries This report type is a specific subset of the capabilities of the custom report type. Specifically, it is identical to a custom report with the options which are enabled when it is selected. Refer to the description of the custom report type for an explanation of the options/fields for this report. Custom Report

176 Operations 169 This report type shows all the DACL entries for each file system object (file/directory) in the report. Each DACL entry is shown as a separate line in the report (along with all the general information). The options allow configuration of exactly what is included in the report: Show all directories This option causes all directories to be shown in the report. With this option disabled, directories which have no files or subdirectories which would be shown in the report are automatically removed from the report as well. Disabling this option can help narrow down the resulting data to the objects of interest. Show settings for all files in dir Without this option enabled, the report will display one entry for each file in each directory (with one line for each DACL entry for each file object). If all the files in a directory have the exact same file permission settings, this can be a large amount of redundant information. With this option enabled, the application automatically merges the entries in the preceding case into a single entry (still with multiple lines for each DACL entry) to represent all the files in the directory. The entry will be labeled: [directory]\*.*. Show inheritance column This option governs whether the Inheritance column is shown in the report. This column is documented in the report description page. Show notes column This option governs whether the Notes column is shown in the report. This column is documented in the report description page. Context Menu Options for Report Results In addition to the standard context options for reporting results, the NTFS file permissions report has the context option to Edit Security for the selected objects. This allows the user to open the standard Windows security configuration dialog for the selected objects and manually edit the security for the objects. The user is encouraged to use caution when editing the permissions of multiple objects at once, since the resulting permissions will be applied to all edited objects, regardless of their original permissions. Also, use caution when editing permissions for objects in different security contexts (eg: different domains), as accounts valid in one context may not be valid in all contexts, and this can result in errors when the settings are applied. Also note that the editing is done in the context of the interactive user (the account which the application is being run under), as if the file object properties had been opened through a file share.

177 Operations 170 SIMPLE REPORT WITH DACL ENTRIES / CUSTOM REPORT DISPLAY Since the simple report is a specific case of the custom report, both will be described together in this section. The specific columns which appear in the report are dependent on the options set for the report, but they will all be described below. A sample display for this report is shown here: The columns specific to this report are: Path This column is the full path to the file object (as a local path on the remote system). Inheritance This column shows whether the specific DACL entry was inherited from the parent object or defined explicitly for the specific object. Account This column shows the account which the permission is defined for. This can either be a created account (domain or local user account), or the symbolic name of a special account ID used by the operating system (such as SYSTEM or Everyone ). If the SID for the account cannot be resolved to an account name (for example, if the account has been deleted), the report will show the SID instead of the username. Own This column shows a notation if the SID in the DACL entry is marked as the owner of the object. Often the owner of a securable object is given special permissions on object creation, so this

178 Operations 171 field can be useful for determining of the DACL entry is possibly derived from ownership of the object. Dir This column shows the permissions on a directory object, and is not applicable for file objects. The full documentation for the format of the permissions is detailed below. File This column shows the permissions on file objects (for file object lines) or permissions which are applied to contained file objects (for directory object lines). The full documentation for the format of the permissions is detailed below. Notes This column shows the notes for the item, which can be helpful in diagnosing and correcting potential issues with the security on the file system objects. Description of the permissions column format Each DACL entry can be an allow entry or a deny entry. The standard Windows permission editing dialog allows selection of standard sets of permissions (such as all access or read & execute ). These are pre-defined combinations of the permission bits which are possible to set for file objects. The application parses the bits which are set for each DACL, and replaces standard bit combinations with symbolic names which correspond to the standard sets of permissions. The symbolic indicators are: All Full access to the object R Read access W Write access D Delete access P Change permissions access O Change owner access If the bit combination does not match a pre-defined permission set, the type of the DACL entry is shown with the hex value for the actual permission bits in the entry. In this case, the user must examine the hex entry to determine which permissions are set by the DACL entry. Some bits have different meanings for directory objects and for file objects. The user is encouraged to refer to the Windows security system documentation for the implications and effects of each security flag. The permission bits which are valid for all securable objects are:

179 Operations 172 0x DELETE 0x READ_CONTROL 0x WRITE_DAC 0x WRITE_OWNER 0x SYNCHRONIZE The permission bits which are valid for file objects are: 0x0001 FILE_READ_DATA 0x0002 FILE_WRITE_DATA 0x0004 FILE_APPEND_DATA 0x0008 FILE_READ_EA 0x0010 FILE_WRITE_EA 0x0020 FILE_EXECUTE 0x0080 FILE_READ_ATTRIBUTES 0x0100 FILE_WRITE_ATTRIBUTES The permission bits which are valid for directory objects are: 0x0001 FILE_LIST_DIRECTORY 0x0002 FILE_ADD_FILE 0x0004 FILE_ADD_SUBDIRECTORY 0x0008 FILE_READ_EA 0x0010 FILE_WRITE_EA 0x0020 FILE_TRAVERSE 0x0040 FILE_DELETE_CHILD 0x0080 FILE_READ_ATTRIBUTES 0x0100 FILE_WRITE_ATTRIBUTES

180 Operations 173 SIMPLE REPORT DISPLAY A sample display for this report is shown here: The columns in this report are logically in several groups:

181 Operations 174 System / file object information The initial columns in the report identify the system and the file object for the entry Divergences (differences) The next set of columns notes divergences from parent objects. These columns can be very useful for identifying objects with specific divergences, and/or verifying that specific divergences are not present in a directory structure (usually to audit conformance to a policy). Flags The next set of columns specifies the flags which are set in the security descriptors for the file objects, which govern the behavior of the security descriptor in general. These flags can also be useful for identifying file objects which diverge from expected settings and/or policies. Owner This column shows the account designated as the current owner of the file system object; usually this is account which initially created the object, unless the owner has been changed. DACL This column shows the number of entries in the DACL for the file object. To see the specific entries in the DACL in the report, use one of the other report types. The columns specific to this report are:

182 Operations 175 File Object This is the file system name for the file or directory for this entry in the report. Dir has Files For directory objects, this specifies whether the directory has files in it. It is not applicable for file objects. Files have Diffs For directory objects, this specifies whether any files in the directory have access permission differences from the parent directory object. It is not applicable for file objects. D: No Parent This column specifies whether the object has no parent entry in the report. This will be true for top-level directories in the report. For entries where this is true, no other differences will be shown, since there will be no parent object to compare permissions with. D: Owner This column indicates a difference in owner from the parent object. D: DACL Explicit Entries This column indicates that the DACL for the NTFS file object has explicit entries defined in it. D: DACL Differences This column indicates that the effective permissions on the file object defined by the DACL (including inheritance) differ from the effective permissions of the parent object. Note: This feature is not currently implemented, and this column is always blank. D: DACL No Inherit This column indicates that the DACL is set to not automatically inherit inheritable permissions set for the file object s parent object. F: DACL Auto Inherited This column indicates that the flag in the security descriptor to auto-inherit inheritable permissions from the parent object is set. This should be the opposite setting for the D: DACL No Inherit setting (since absence of this flag indicates that divergence, and visa-versa). F: DACL Defaulted This column indicates whether the DACL is defaulted (automatically inherited from the parent without any modification). F: DACL Present This column specifies whether a DACL is present on the file object. If a NTFS object does not have a DACL present (it has a NULL DACL), the operating system allows full access to the object to everyone. By default, all NTFS objects will have DACL s present, and the absence of this flag usually means a security problem. F: DACL No Inherit This column specifies that the DACL for this object is not set to automatically inherit inheritable permissions set on the parent object. The presence of this flag should be considered carefully per-instance, since this will break propagation of permissions set on parent objects, which may lead to undesirable permissions on objects below this object if permissions on parent objects are set in the future. F: Owner Defaulted This flag means the owner for the object was inherited from the parent object, and has not been explicitly set. Owner This is the account which is the owner for the NTFS file object. DACL This column contains the number of entries in the DACL. It is primarily useful for simple high-level verification that the DACL has not had entries added/removed. For a more detailed view of the DACL entries, the custom report type should be used.

183 Operations 176 NOTES ON RESOURCE USAGE General The application components and the remote agent process are all compiled binary code with no run-time requirements. This means that relative to other application types (such as Visual Basic applications or.net applications), the resource utilization overhead will be low and the performance will be better. Local CPU/memory Usage CPU usage on the local system running the main application should be relatively low. Since the data gathering is performed by a remote agent distributed to each remote system being inspected, most of the processing is done on the remote system. The local processing during a reporting operation consists primarily of dispatching and monitoring the remote agent, and inserting the resulting gathered data into the database. The dispatch/monitoring is generally not processor intensive. The data insert can be processor intensive if there is a large amount of data included in the report, but is usually limited by the database s ability to process the inserts. Memory usage on the local system should likewise be relatively low. The dispatch and monitoring operations consume very low amounts of memory. The data import step imports the data as it is read, so the memory overhead should be minimal. Finally, when the report data is displayed, it is paged directly from the database, so this too should have low memory overhead. Target System Resource Usage CPU usage on the target system can be high during the reporting operation, due to the process of scanning the file system for file and permission data. Generally, the CPU utilization will be limited by the disk access speed/throughput, since the operation will be limited by the speed at which the system can read and process information from the file system. The combination of these two resource utilizations can render the system significantly less responsive during the reporting operation (while gathering data from the specific remote system), and there is currently no method to throttle the resource utilization of the remote gathering agent. It is therefore recommended that file permission reports be run when the target systems are expected to not be under high utilization, and/or do not need to be highly responsive otherwise. This effect will be more pronounced if the number of files/directories scanned during the operation is large (regardless of the size of the resulting data set). Memory utilization on the target system, on the other hand, should be relatively low. Since the data is written as the scan is in progress, and only limited state information needs to be stored in memory during the scan, memory utilization is minimized. Database Utilization

184 Operations 177 Utilization of the back-end database will be highly dependent on a number of factors, such as the amount of data gathered by the report and the number of concurrent threads. It is highly recommended that SQL Server be used (as opposed to MSDE), since SQL Server can handle many more concurrent connections. The potential number of concurrent database connections is roughly equivalent to the maximum number of threads, and the application will have optimum performance if all database requests can be handled concurrently by the database during report data gathering. Interactive report display is paged from the database, so resource utilization should be minimal during this operation. For report generation, all the data for the report will be loaded from the database to be included in the output data, and this operation can cause high database utilization. General Guidelines For optimal performance of file permission reporting, the administrator should define the search criteria as narrowly as possible to achieve the desired results. For example, if auditing files in a directory, identify (as best as possible) any subdirectories which are not relevant to the search, and list them as excluded directories. Disable any options which produce data which is not used. If reporting on a large amount of data, try to run the report when the target systems and connecting network are least busy, both to optimize performance and decrease impact. Also, be sure to check for products updates regularly. In addition to new features and bug fixes, product updates often contain performance enhancements for regular operations.

185 Operations 178 GROUPS This Groups reports allows reporting on [domain] local and global groups as well as their memberships. Global group reports will only work against Windows domain controllers.

186 Operations 179 LOCAL GROUPS REPORT This Local Groups report shows the local groups on the highlighted systems. This report will display the group name and group comment. If a domain controller is targeted when running this report, the report will return a list of domain local groups. GLOBAL GROUPS REPORT This Global Groups report shows the global groups (domain groups) on the highlighted systems. This report will only display results for highlighted machines that are domain controllers because those machines are the only ones that have global groups on them. This report will display the group name and group comment. This report will not return any results for machines that are not domain controllers. LOCAL GROUP MEMBERS REPORT The basic local groups report will return a list of all local groups on the targeted systems and all of their members, both domain and local. Select the information to include in the local groups report by running the Advanced Local Group Membership report, as seen below: There are a few options which allow customizing which accounts are included in the report. Either report the membership of one or more specific groups, or report all the groups that a specific user is a member of.

187 Operations 180 When reporting on all members of one or more groups, there are a few options which can help streamline the results. If the target group has another group as a member, the members of that group will be indirect members. To enumerate the group membership more than one level deep, enable the Include nested indirect members option. Each system also has a machine account, which is used by the system, which may be in groups (machine accounts end in '$'). To enable displaying of computer accounts, select the options to Include Machine Accounts. Show the full names for user accounts by enabling the corresponding option. User Manager Pro by default displays the short versions of the user account names, but accounts may be differentiated by their long names. Enabling this option will display these long names (if available) in addition to the shorter user account name. The second type of report retrieves all local groups for which the user is a member. This report allows checking local group memberships for a particular user. Use a fully-qualified user name (DOMAIN\Username), or a local user name (Username). If a local user name is supplied, the report will generate the local group memberships for the local user on each system the report is run on. For example, if requesting the local groups that the local user Administrator is a member of, the report will display the group memberships for the local Administrator account on each machine (which may be different per machine). This report is useful for checking to ensure that specific local/domain accounts have expected or excessive local group memberships. This report shows the group names and member names. Context menu operations available from the reporting results: Remove member(s) from group Add domain user(s) to local group Add domain group(s) to local group Add local user(s) to local group Move group member to alternate group Note: User Manager Pro can also be used to lock out changes (see "Local Groups" on page 115) to the membership of a built-in local group. Because of the potential implications of using this feature, it must be manually enabled by setting a registry key value. To enable this feature: 1) Under the key "HKLM\SOFTWARE\LIEBERMAN\USRMGRPRO2.0" 2) create the DWORD value "bshowgroupchangelockout" 3) Set the value to "1"

188 Operations 181 This will enable the group lockout settings in the local group members dialog. Once this feature has been enabled, it can be used to either allow or prevent changes to the memberships of built-in local groups. Warning: Locking out changes to the membership of local groups can potentially cause errors. Specifically, tools that attempt to view, iterate, or change the group membership will no longer be able to do so after the change and may return errors or fail to function. This includes some built-in Windows tools. GLOBAL GROUP MEMBERS REPORT The Global Group Members report will show the accounts (domain only) which are members of a specific global group (or all global groups). To show other global groups which are in the target global groups, enable the option to Include Indirect Memberships. This report will include global groups and users from other trusted domains. This report shows the group names and member names. Context menu operations available from the reporting results: Remove member(s) from group Add domain user(s) to global group Add local user(s) to global group Move group member to alternate group

189 Operations 182 INSTALLED SOFTWARE The Installed Software report shows installed software, instances of VNC, Windows updates, Service Packs, hot fixes, and Internet Explorer Service Packs and hot fixes. WINDOWS UPDATES The WIndows Updates report generates reports for highlighted systems showing which service packs and hot fixes for Windows have been applied to the systems. The report will also show the name of the

190 Operations 183 service pack, who performed the installation, and when the update occurred. Use this feature to quickly find machines that are not up to date with the most recent security patches. Reporting on Windows service packs will identify the service pack number, update name, description, installing account, date, and type of update. Further refine the search for Windows updates and hot fixes by using the Filter for substring in update name option. Supply either a specific name such as KB or a partial name such as KB88*. Reporting on Internet Explorer updates will tell supply the version of IE, the service pack, and update numbers. Note: If the target system was deployed using slipstream patching, where the updates and hot fixes are part of the original install source and not applied afterwards, these items are not registered with the operating system, as they are applied at the same time as the initial operating system install. Because of this, slipstream updates and hot fixes are not listed in the windows update report. INSTALLED SOFTWARE REPORT The Installed Software report will show applications on the selected machines if they have registered uninstall information with Windows. This information is pulled from the registry of the remote machine. The values retrieved if available are:

191 Operations 184 Key Name Display Name of the Installed Application Comments for the Application Version Publisher Installation Location Installation Date Uninstallation Command Link for Online Help File Quiet Uninstallation Command Publisher Contact Information Help Telephone Number Help URL VNC INSTANCES REPORT The VNC Instances report will show if the VNC service is installed on the highlighted systems. versions 3 and 4 are currently supported. The report will show the following for all systems: VNC Installed version(s) Whether or not the service is running Port used by the service Password protected (The VNC service will not permit remote connections if the service has no password) Installation path of the service(s)

192 Operations 185 REGISTRY The Registry report area allows reporting on registry entries. REGISTRY VALUES REPORT Using Registry Values report will discovery the contents of registry keys on all machines selected. Choose to report on only a particular key value, or all values in a key and all its sub-keys. The Registry report is pre-populated with some common keys but also provides a browse option to locate a specific

193 Operations 186 key on a system. Key names may also be supplied directly or the UMP administrator may browse for the specific key to report on. This report can be used for a large number of things. For example, use the report to determine what will be automatically run at startup on each machine. If a program/virus creates a particular key or value, UMP can test for the presence of that program/virus on all targeted systems. The registry report can enable the systems administrators to check for versions of applications [which store their version information in the registry] on every system on the network, and order by version. This report can also detect the presence of specific applications installed on individual workstations. In short, the usefulness of this feature is only limited by the data which is stored in the registry. Reporting on the HKEY_USERS base key is a special case as there are multiple options available for this key such as reporting on a specific user profile key, the default key, or all user profile keys. For this reason, there are configuration options to allow such reports as well as the capability to browse for a specific user profile key. If choosing to paste keys directly to the list from the registry, User Manager Pro will automatically remove the base key prefix and adjust the drop-down appropriately. For example, if the key is copied is HKEY_LOCAL_MACHINE\Software\Lieberman\UsrMgrPro 2.0 then the pasted key will be Software\Lieberman\UsrMgrPro 2.0 Note: If electing to report on all sub-keys of a large root key, the Get Info operation will take a long time and/or may exceed the local registry size. To examine several sub-keys of a large branch (such as

194 Operations 187 Software\Microsoft\Windows\CurrentVersion), it is highly recommended to use a SQL Server or SQL Express database to store the report data. Note: If selecting HKEY_USERS as the base key, the report will include all values in the key for each user on each machine the report is run on. Since user data is stored in sub-keys named by the SID of the user, the SID of the user under which the information resides for each data item returned. In addition, User Manager Pro will do a remote lookup on the SID, and display the remote user name for the user if possible. To modify the information, be aware that the registry keys are named by SID, so remember to record the SID of the user whose data will be modified. Context menu operations available from the reporting results: Delete registry key Crater files (see "File Lockout" on page 142) referenced by registry key values (in this case, if the registry value does not specify an absolute path, the first matching file found in the system path of the target machine will be Cratered)

195 Operations 188 SECURITY The Security reports allows reporting on auditing settings, local password policy, rights, domain trusts. AUDIT SETTINGS REPORT The Audit Settings report will display the audit settings for all machines selected. This can be very useful for ensuring compliance with security policies which require certain audit events to be enabled on all

196 Operations 189 workstations. The audit settings which this option will retrieve are the same settings which can be set using the Auditing dialog in Windows. The report will show: Whether or not auditing is enable on each machine Each audit event type and whether or not that event is audited for both success and failure. Note: This feature currently only checks base NT-type audit events. There are additional audit settings [in Windows 2000 and later] that are not retrieved. LOCAL SECURITY POLICY REPORT This report enumerates the basic local password and account lockout settings for the systems. settings which will be retrieved are the same settings that can change with the Policies dialog in Windows. This does not include Group Policy Active Directories rules and objects. The RIGHTS REPORT The Rights report will retrieve information about rights for any user or group or machines.

197 Operations 190 Show rights for a specific user/group - Specify an account or group to retrieve the rights for. This will lookup rights that this account has on the highlighted systems, as well as lookup group memberships for this user and get the rights that those groups have on the highlighted machines. Show rights for sets of accounts valid on system - Retrieve the rights for all accounts on all highlighted systems, filtered by the inclusion options. Include local users - Includes local user accounts Include domain users - Includes domain accounts found on all trusted domains that can currently be used to access this machine. Include local groups - Includes local groups Include domain groups - Includes domain groups found on all trusted domains that can have rights on the highlighted systems. Include built-in system accounts - Includes built in accounts like local system accounts. In addition to the standard search scope, this report can be set to search all trusted domains, or limit the report to a specific set of domains using the Domains option on the center right of the dialog. Include Indirect Rights - The default is to show the explicit rights granted to each user or group for systems, but the report may also show indirect or inherited rights. If showing indirect rights, then rights that are granted explicitly or implicitly are shown in the report. An example would be a user that is part of a group. The group is granted rights on a machine, therefore that user is also granted rights on that machine. User Manager Pro will cascade these rights, giving the highest level derivation if more than one exists. The order that rights cascade is: explicit, direct membership in a local group, domain user in a domain group that is in a local group. The following display options allow customizing the report display. In most cases, auditors are only interested in users/groups have a specific right or quickly searching to see what rights a specific account or group has on a system. On display, show - Displaying all the rights for all users or groups can be a substantial amount of information. This option allows displaying the rights one per column horizontally or to display them all in one row. If reporting on lots of rights and are worried about visibility/printing/readability, then Lieberman Software suggests one right per row. If the information is going to be stored for comparison between systems by right, then Lieberman Software suggests one all rights in one row. The latter allows quickly viewing which systems allows a specific right to the specified account or group, and what grants that right.

198 Operations 191 Filter - The Filter allows selecting which rights to report on. The dialog shown below can be used to select or de-select rights. When finished choosing which rights to include in the report, click OK. TRUSTS REPORT The Trusts report allows enumerating all domains that the local domain trusts explicitly or implicitly. Target a domain controller to run this report. The report will identify the type of trust and the relationship of that trust to the local domain (e.g. Explicit, one way, non-transitive trust or Inherited, bi-directional, transitive forest trust).

199 Operations 192 WMI - WINDOWS MANAGEMENT INSTRUMENTATION Unlike the rest of User Manager Pro's reporting options which use native APIs to generate reports, the WMI reports allows reporting on systems using Windows Management Instrumentation (WMI). Use of this interface requires access to port 135 on the target systems as well as access to the ephemeral ports (which vary by OS implementation). WMI is useful for reporting on almost any aspect of a Windows operating system. These WMI reports allow free form reporting for any piece of the target operating system.

200 Operations 193 In order to get the best results using WMI, use the latest Windows operating system. WMI is available as an add-on for Windows NT 4.0. WMI PROPERTIES REPORTING The basic WMI report will return a basic system inventory of the selected machines including BIOS information and asset tag number.

201 Operations 194 Use the Advanced WMI report to gather data on any or all of the fields exposed through WMI. The number of fields that are exposed through the WMI interface and accessible through this report is substantial, but full documentation about each entity can be found on the Microsoft website. Use this feature to report on one, multiple, or all instances of a specific WMI object on all selected machines. Note: Because the result sets for these reports can be very large, it is required use a SQL Server or SQL Express database to store the reporting data to use this type of report. When selecting the WMI report type, a dialog will be presented which will allow selecting the WMI objects to report on. The WMI objects that are available are listed on the upper left. This list of available objects is taken from the local system. For a highlighted WMI object in the list on the left, the list of properties for that object is shown on the right. Choose the properties to report on from the list on the right and click the Add Selected button to add them to the selected properties list. The bottom list shows which properties will be gathered and shown in the report.

202 Operations 195 Note: Because the list of available objects is taken from the local system, the objects presented are not always available on all systems. If the report includes an object that is not found on one of the target systems a syntax error will be generated. A single system returning a syntax error will not interfere with the results from other systems, but the system which does not have the property will not return any results. If the UMP host does not have a WMI element that needs to be reported on, click the Change button to select the WMI element from a different system which does have the element in question. Some processes that are invoked directly by the OS and some process that are part of Win32 will not have Command Line arguments or Executable paths. These processes can be identified by reporting on the Description. Once a proper query is established, this query may be saved for later re-use by clicking the Save button in the lower right corner of the dialog. These saved queries may be recalled later by clicking the Load button in the lower right corner of this dialog.

203 Operations 196 Because of the many options and object types, some filters are employed to reduce the number of objects that must be examined. Click the Filter Options button to manipulate the filter. System objects and CIM objects are part of the base classes of WMI. Most Win32 objects are built on top of or extend objects of these two types. Win32 objects are the core classes of WMI, these objects include things like system hardware and software resources, system settings, process lists, OS settings, peripheral configuration settings, etc. The most used objects will be of this type.

204 Operations 197 Along with filtering options, there are also display options. displayed to the screen. These options determine how the report is One row for each property will show all instances of each object and all the selected properties; one property per row. One row for each object instance will show each object instance for each machine, and all selected properties for those objects in one row. Limit output to one row per system will show only the first instance found on the selected machines, and will display all the properties for that object in one row. OTHER REPORT TYPES Reports can also be run automatically when using User Manager Pro to change passwords if the option to Save Passwords for Retrieval check box in the Users dialog (see "Managing Users" on page 76) before making account password changes. This automatic report type is detailed in the Random Password Generator (on page 85) section.

205 Operations 198 REPORT RESULTS The Get Info feature and the Reporting feature display their results in a uniform results window, shown below (this example is a report on NTFS file permissions). The columns of the results list are dependent on the type of operation performed. The dialog also displays the count of items in the list. This can be helpful for very large result sets or for quick summary information. The Show All Columns option can be found in the ResultsList menu. The Show All Columns toggle shows extra columns of data which are specific to the type of information reported on. Typically, these extra columns will contain less frequently used information (such as obscure user data), or constant data (the key that was reported on for registry entries).

206 Operations 199 The Customize Sorting option is also found in the ResultsList menu. This feature can be used to do a multi-column sort. When selecting Customize Sorting, the following dialog will be presented. Simply select the columns to sort by and the sort order then click OK. The report can also be sorted quickly by clicking the column header. The columns are automatically sized on creation to display the resulting data optimally. The Export Report options is also found in the ResultsList Menu. This feature opens the Report Generator dialog which can be used to generate a report from the data in the results list. For more info on this feature, see the Report Generator section. The Highlight Selected option can be found in the Actions menu. This feature highlights the selected systems in the active management set. It will select the systems associated with all items in the report which are selected (each item in the report has a unique system associated with it). To select all the systems except those associated with the items already selected, use this feature in combination with the main window's Invert [selections] feature. GET INFO NOTES AND TIPS SYSTEMS NOT AVAILABLE AT TIME OF GET INFO OPERATION

207 Operations 200 When running a report, failed systems are ignored, and the report results for responding systems are displayed as soon as all systems complete or fail. NO SYSTEMS SELECTED DEFAULTS TO ALL SYSTEMS If Get Info is selected with no systems selected in the list, User Manager Pro will automatically highlight all the systems in the current management set. OPERATIONS BASED ON REPORTING RESULTS The Highlight Selected feature, combined with sorting and the Invert [selections] button on the main dialog, can be used to quickly select all systems that need a change based on reporting output. Simply sort by the criteria to select systems based on, highlight the systems which have the criteria (or are missing the criteria), use the Highlight Selected feature to highlight those systems on the main dialog, and close the results window. Use the Invert [selections] button to invert the systems selected as appropriate, and then perform the desired operation. For example, to add a specific local user to all systems which did not already have the local user, first do a Get Info operation for all local users. Then, on the results window, sort by user name, then highlight all the systems with the local user, then click on the Highlight Selected button. All the systems are now highlighted in the management set. Close the results window, and select Invert [selections] to invert the selections of systems. This will now highlight all systems without the local user. Now use the Users feature to all the local user to all the systems selected. Another scenario where this process is useful is for checking for the latest version of patches on target systems. Run a report to see which hot fixes are installed on the systems, then highlight the machines that have the fix and invert. Now all the systems are selected that do not yet have the hot fix; use the Push and Run feature to push the hot fix out to them and run it immediately. COPYING INFORMATION FROM THE RESULTS WINDOW Copy information from the results list by selecting the desired item(s) and pressing CTRL-C. The items will be copied to the clipboard as tab-delineated items, and the rows will be new-line-delineated if there are multiple rows. To take actions in another dialog based on a result item, copy that item, paste it into the appropriate field of the other dialog, then remove the extraneous data. For example, if there is a registry value on one machine that needs to be replicated to other machines, select the entry from the results list and copy it (make sure the dialog is showing all columns). Then close the report, select the systems to add the registry value to, and select Reg Entry. Paste (using CTRL-V) into the registry key name and value fields, then trim the extraneous information from each text field. The value will be ready to add exactly as it was on the other machine to the systems selected for the Reg Edit operation.

208 Operations 201 SCHEDULED REPORTING Reports can be scheduled to happen on a recurring basis or at a single time in the future. This feature requires use of a SQL Server or SQL Express database to store report data. Configuring User Manager Pro to store report data in a database is handled through Reporting Data Store. Also make sure to enable saving report results to the database, otherwise the results of scheduled reports will not be stored after the report runs. To schedule a report, configure the report to run and click the Schedule button. User Manager Pro will then prompt for the scheduling parameters. Scheduled reports look like regular scheduled jobs and as such can be viewed and deleted using the Jobs Monitor. For scheduled reports to run, the deferred processor service must be installed and running on the UMP host. Reports that are saved to the database can be viewed later by opening selecting Reporting Manage Stored Reports. Each individual report is shown as well as the number of systems in the report or the management set on which the report was run. Reports that were run interactively in the application will show "Manual" in the Job column and reports that were generated by scheduled reoccurring jobs will have the JobID of the job that generated them in the Job column. The type of report, time it was run, and user that initiated the report is also shown. Reports that are generated by the deferred processing service will show the account the service is running as in the Created By column.

209 Operations 202 From this dialog, there are options to view and delete reports, as well as view the systems that are associated with each individual report. The total number of reports as well as the number of reports stored for each scheduled reporting job can be adjusted using Reporting Options (on page 202). If a report is scheduled to run, after configuring the scheduled run time(s), User Manager Pro will then ask to take a post-generation action which will allow User Manager Pro to create an export of the information, or the report. These settings are configured at job creation time via the Report Generator (see "Report Generator / Output Settings" on page 205). REPORTING OPTIONS The Reporting Options dialog controls how User Manager Pro handles report data after the report is closed. These settings also govern stored reports that are generated by scheduled reporting jobs. The first option only applies to interactive reports that are run through the user interface. To save report data after the display of the report is complete, a SQL Server or SQL Express database must be configured to store the reporting data. The report storage settings determine both the maximum number of reports that will be stored in the database at any given time and the maximum number of reports that will be stored for a specific scheduled reporting job. If there are more reports found in the database then the settings allow, User Manager Pro will delete the oldest report first and then the next

210 Operations 203 and so on until the limits are met. reports: There are several reasons to limit the maximum number of stored Size of the database Speed of the report retrieval Elimination of stale data JOB RESULTS DIALOG When performing operations, the tool's log will keep track of the outcome. successful, the following message box will appear: When the operation is

211 Operations 204 If errors occur while the job is being run, the Job Results dialog will pop up and prompt the user to respond to any errors that come up. Shown below is the Job Results Dialog. This dialog shows any errors being returned by services or machines after a task is completed. Select tasks or machines and have the failed tasks retried by checking the box to the left of the service or system or selecting it and clicking the appropriate Set Enable Retry button. It is also possible to use the built in Report Generator (see "Report Generator / Output Settings" on page 205) to document this list of errors. When retry options for each system and/or service are selected, click Start Retry to begin retrying the jobs or click Cancel to not retry any of the jobs.

212 205 REPORT GENERATOR / OUTPUT SETTINGS The report generator feature will generate reports from many places in the product. The report generator includes customizable HTML output, , and arbitrary post-generation program execution. Regardless of which list the report is being generated from, the report generator dialog (shown below) and functionality are the same.

213 Report Generator / Output Settings 206 To create a report output file and launch an appropriate viewer for the file, click on the Generate Report button located at the bottom of the dialog. Normally, after a report is generated, the report dialog window will save its settings and close. To prevent the dialog from closing after completing the generation of a report, set the check box: Do Not Close Dialog After Report Generation. To save new dialog settings without generating a report by using the Save Settings button. To abort the report generation click Cancel. The Export Data Columns list shows the columns in the list for which the report is being generated (in this case, the managed set list in the main window). Change if a particular column will be exported by double-clicking on it. Check/un-check all columns by using the All and None buttons to the right of the list. Columns with an X to the left of the column will be exported. The Export Status Columns section will add a status column to the output which indicates the rows in the source list box that were highlighted (selected). If this option is selected, the generated report will have an additional column; the new column rows that were selected will be labeled Yes and rows that were not selected will be labeled No. The Limit Output to Rows with will export only those rows that were highlighted in the previous list (requires the report to be run from a dialog with a list of items that are selectable). The No Column Headers will export just the results without including the data column header titles. The File Name box shows the file name for the generated report. A valid output file for the report must exist, even if no action is taken based on the report. The extension of the file is automatically adjusted to be a valid extension based on the report type. The file extension can be overwritten in the file name box. The Report File Output Type defines the output type. The report type options are comma delimited, tab delimited, fixed width (space padded to the fixed width), and HTML. The HTML output in the HTML Edit Dialog (on page 209) may be edited. The Post-Generation Action box shows the actions to be taken after the output file is generated. Create the file only simply generates the output file. View or print the report to invoke the View or Print shell actions on the resulting report file (the actual program invoked to view or print is dependent on shell settings for actions based on the extension of the report file). Execute an arbitrary program after the report is generated; use the ellipses (...) option to pull up the executable editing window. Finally, the resulting report file (inline or as an attachment); use ellipses (...) to pull up the Settings Dialog (see " Server Settings Overview" on page 211). If the Show Dialog on Success check box is checked, the program will notify with a dialog box when the report action is complete (this may be useful if the action produces no visible feedback itself). The program will always show a dialog box if an error occurs during the report generation/action.

214 Report Generator / Output Settings 207 The Title field allows editing the title of the report; this is only valid for HTML reports. The Edit setting generates a window which allows the addition of replaceable report-specific variables to the report title. IN THIS CHAPTER Report File Output Type Post-Generation Action Server Settings Overview

215 Report Generator / Output Settings 208 REPORT FILE OUTPUT TYPE There are four file types that the Report Generator can generate: Comma Delimited - Column data is separated with a comma with the first row containing the column names. This can be read into a spreadsheet such as Excel. Tab Delimited - Similar to comma delimited except tab characters are used rather than commas. Fixed Column Width - Specify how wide each column is in characters. This is useful for fixed size viewing, printing, and some displays that may have limited space. Information that does not fit within the fixed size is truncated on generation. This format is useful for generating human readable output. HTML - Customizable HTML reports.

216 Report Generator / Output Settings 209 HTML EDIT DIALOG This edit window, shown below, allows editing the format for the HTML report output. The HTML output template is set to the default template the first time the report generator is run; it is always possible to revert to the default template by pressing the Default button. It is possible to create many template files for HTML reports. The file name editor selects which template file is currently being editing. The file menu allows opening or saving templates. The current template file is shown in the template editing window, and can be edited directly. Alternatively, the template may be edited outside of the program by any other HTML editor. The top of the edit window shows the variables which can be used in the report that will be automatically populated with data specific to the actual report being generated. These variables can be

217 Report Generator / Output Settings 210 inserted into the template file at the current cursor position by using the Insert button, double-clicking the variable that should be inserted, or simply entering the variable name directly into the template. The look of the generated report data is controlled by several CSS style elements. The default template has default styles for these elements and these styles can be edited. The look of the report title elements is set directly in the HTML (which can also be modified). POST-GENERATION ACTION The Report Generator allows can perform actions when the generation of the report is complete. following options are currently available: The CREATE FILE ONLY - Only create the file. VIEW - View the file using the default shell viewer based on the file extension. PRINT - Generate the report and use the default shell printing application based on the report file extension. EXECUTE PROGRAM - Allows specifying a program to be run upon the completion of report file generation. With this option, specify the path to the program and any additional command line arguments to run with the program with. - the report file in the body of an or as an attachment. Specify a list of address to send the report to and append a custom subject line to the report.

218 Report Generator / Output Settings 211 SERVER SETTINGS OVERVIEW This product includes send capabilities used for reporting and alerting. The product uses SMTP to send , and relies on the presence of an accessible SMTP server. The SMTP settings dialog allows configuration of the SMTP settings, which are then shared by all Lieberman Software products. The Destinations dialog is shown below. The destination list contains the addresses to send the report to after generation. The subject line has the subject for the report . The Edit button allows editing the subject line and insert report-specific replaceable variables. The Settings button pulls up the Settings dialog (see " Server Settings Overview" on page 211), which provides SMTP configuration information. The Server Settings contains three parts: General SMTP Settings (see "SMTP Settings: General" on page 212) Outgoing Server Settings (see "SMTP Settings: Outgoing Server" on page 216) SMTP Logging (see "SMTP Settings: Logging Options" on page 222)

219 Report Generator / Output Settings 212 SMTP SETTINGS: GENERAL settings can be configured under Settings Settings. The general settings page, shown below with the default information, contains the general settings for sending SMTP messages, including the name, organization, address, and reply address of the sender. Field titles with asterisks (*) on them are optional and may be left in their default state without affecting the operation of this program. Sender Information

220 Report Generator / Output Settings 213 Before sending via this program the Sender Information and Reply-to address on the General page must be configured. This information is sent with each in its header and will appear when the recipient reads the mail. Some servers will reject messages that lack the proper address information for these fields (i.e. wrong domain name). Message Priority/Importance* Outgoing messages can be tagged with a priority or importance tag. By default the priority is Normal. Setting this value will add a marker next to messages similar to the following (message was set to Urgent and displayed in Microsoft Outlook). The display of the message priority is totally dependent on the capabilities of the read used to display messages generated by this program. Message Read Receipt Generation Client Based* Clients can be instructed to generate a return when the user opens the . The generation of the receipt is totally dependent on the client used and there are no guarantees that the receipt will be generated upon read. The recipient of the read is designated in the Send Client Read Receipts field as show.

221 Report Generator / Output Settings 214 To make things even more interesting, Microsoft Outlook does not use the default receipt generation mechanism, but requires the use of a custom message header (described below). Custom Message Header Generating Read Receipts in Outlook* Message headers are special text added to the message before the body of the message appears. This is where the date, time, sender, receiver, message id numbers and other useful information is stored. Message headers have the format of Name:Value pairs. where the two fields are separated by a colon. Below is an example of some of the headers in a message (viewed by right-clicking on a message, and selecting Options). Message-ID: @liebsoft.com X-Priority: 2 Return-Receipt-To: [email protected] Reply-To: Message from Program [email protected] Disposition-Notification-To: Support Group [email protected] From: [email protected] To: [email protected] Subject: Report generated by Lieberman Software Program Date: Fri, 29 Jul :19: MIME-Version: 1.0 To generate a client read receipt response for Outlook clients, add the Custom Message Header pair: Disposition-Notification-To: Address. Within the product put Disposition-Notification-To in the Name field and the address for notification in the Value field. See the example below. When an Outlook client gets a message with this extra field, a pop-up similar to the following will appear:

222 Report Generator / Output Settings 215 When the Yes button is clicked, an will be sent back to the reply address with the following icon in the far left column. Use the custom message header for other functions, or leave it blank if there are no special headers. Server Delivery Notification ESMTP* SMTP normally provides for Delivery Status Notification (DSN), but additional notifications may be available if the target server supports Extended SMTP (ESMTP). Try these options by first attempting to send notifications to a known account. If the server does not support these options, turn off this feature otherwise messages will be discarded by the server. To use these features, set the check box marked: Enable Server Delivery Status Notification The Notify Trigger property allows triggering of a server response on send failures, successes and/or delays. These are controlled by the Notify Trigger pull-down. The Notify Size property specifies what the notification contents should contain. The Customer Return Envelope Header Text allows arbitrary text to be inserted into the header of the return message so that notification messages from this program can be identified more easily via rules or software to scan the header portion of s.

223 Report Generator / Output Settings 216 SMTP SETTINGS: OUTGOING SERVER This program supports a locally installed (internal) server known as SMTP Express, or the use of an external SMTP server. This program provide very rich support for all of the variations of SMTP including the use of SSL for transmission of credentials and data. Internal SMTP Express Server The SMTP Express server installation package is available through Lieberman Software's website at Installation instructions for SMTP Express can be downloaded from the same page.

224 Report Generator / Output Settings 217 There are no configuration options when enabling the Internal SMTP Express Server option. All that needs to be done is to set the option button: Use Internal SMTP Express Server. The Sender information on the General page does need to be filled out for proper message headers to be seen by the recipient. If the option button: Use Internal SMTP Express Server is grayed-out (unavailable), it is because SMTP Express has not been installed on the host computer. Install the software, and restart the program, SMTP Express is now available. If an error is received when sending via SMTP Express that states, settings have not yet been configured, please go to the section within this manual entitled Error Sending Message via SMTP Express. SMTP EXPRESS SECURITY SMTP Express does not provide SMTP capabilities to other machines on the network, nor does it provide SMTP forwarding for non-lieberman Software products on the local computer. SMTP Express is a local service installed on the local computer that looks for being dropped into a local directory on the local hard drive. It is then picked up by the service, examined and forwarded appropriately. There are no security configuration settings such as authentication for SMTP Express itself. If network security blocks outgoing port 25 traffic from SMTP Express, there are configuration options within SMTP Express to allow alternate means of forwarding the traffic. See the SMTP Express manual for more details. ERROR SENDING MESSAGE VIA SMTP EXPRESS If the following message is received when attempting to to send a message via SMTP Express: This is caused by a minor logic bug that was corrected in later versions of Lieberman Software solutions in the sending code after February, A simple work around this is to go back to the Settings dialog and perform the following changes:

225 Report Generator / Output Settings 218 Click on the General tab and put in the sender information values (don t use the default values). Click on the Outgoing Server tab, set the radio button to Use External SMTP Mail Server. Type in a non-blank value into the Outgoing SMTP Server Name field. This value will not be used by the Internal SMTP Express Server. Click on the Use Internal SMTP Express Server option. Click on the OK button. The error will not occur. External SMTP Mail Server To use an external SMTP mail server such as Exchange or Domino or others, set the radio button to Use External SMTP Mail Server. All of the settings for the external SMTP server are dependent on how the SMTP server is configured. There are no standard settings for SMTP since each organization is different. OUTGOING SMTP SERVER NAME The server name can be the DNS name of the server or IP address. PORT NUMBER

226 Report Generator / Output Settings 219 The port number used for is normally port 25. For SSL Encrypted it may be port 25 or port 465. If port 25 is used with the SSL encryption option enabled, the Enabled TLS Negotiation check box is normally set. Port 25 is the most common setting for both SSL and non-ssl configurations. SERVER TIMEOUT The default value of 30 seconds work in most cases. Increase this time if necessary. DEFAULT BUTTON The default button will reset the port number used by the SMTP server. The default is based on the setting of Enable SSL Encryption check box. If the check box is set, the default will be port 465. If it is unchecked it will be port 25. See the note in the Port Number section about port numbers and SSL usage in the real world. SSL ENCRYPTION SSL encryption allows both logon credentials and data to be encrypted during the SMTP transaction. The server must be already setup to use SSL encryption for this option to work. Turning this option on when the SMTP server does not support it will cause to not be sent successfully. Test the SSL functionality with an client such as Outlook or Windows Mail to confirm that all SSL components are configured correctly. The TLS Negotiation is necessary when using port 25. This option allows an initial connection using clear text on port 25 without any credential exchanges, an upgrade of the connection to SSL encryption, followed by the transmission of credentials (optional) and mail on a secured connection. If the TLS option is unchecked, an assumption is made (usually wrong) that encryption will be available immediately (which is not the case on port 25). AUTHENTICATION

227 Report Generator / Output Settings 220 The default SMTP authentication system sends the defined user name and password as clear text over the Internet. These credentials can be secured from interception by the use of Secure Password Authentication or by the use of SSL Encryption. Both of these options require that the target SMTP server be specially configured to support them and not all servers do. POP3 BEFORE SMTP AUTHENTICATION Some consumer ISPs require first performing a POP3 login before SMTP can send. Since this product is normally used in an enterprise environment rather than as a consumer product (this is usually where this scenario occurs), it was decided not to support this level of SMTP usage. If affected by this limitation, use the free internal SMTP Express provided by Lieberman Software. TEST THESE SETTINGS BUTTON The Test These Settings Button is a handy way to check if the SMTP server is there, will accept the defined credentials, and everything is working as it should. This feature does not actually send mail, but instead completes all of the handshaking with the server to assure that mail could be sent if needed. When performing the test, if everything is OK, the following window pop up.

228 Report Generator / Output Settings 221 If there are problems, the pop up will display the problem and the log may have additional information. The program log will also have all of the transaction details recorded. -- Testing connection to: liebsoft.com:25 from [email protected] -- Auth mode: 1 (account: phil15) -- SSL Enb: 0 (TLS Negoc: 1) Failed to send message error: ESMTP Authentication failed. When all the information on this page and the General Settings Page (see " Server Settings Overview" on page 211) has been entered, test the connection to the SMTP server by using the Test These Settings button. If the connection exists and the server allows a logon to send using the current settings, the product will confirm that everything is set up correctly. If the connection fails, adjust the settings and try again.

229 Report Generator / Output Settings 222 SMTP SETTINGS: LOGGING OPTIONS The logging page defines the logging options for SMTP . Event logging tells the SMTP application to log events to the Windows event log. The log file logs communication transaction details while performing SMTP operations. The logging option is useful for debugging problems with SMTP traffic.

230 223 IP SCANNER DIALOG The IP Scanner allows one or more IP address ranges to be scanned for machines. By default, only systems that grant the currently logged on account or an alternate administrator account access will be added. A Report Generator (see "Report Generator / Output Settings" on page 205) package allows exporting the results of the IP scan to a text file, Excel spreadsheet, or database. The results can also be used to build system sets or add to an existing system set for further action. The main dialog is shown below. The main sections of the dialog are:

231 IP Scanner Dialog 224 Subnets/IP Ranges to Scan panel at the top of the screen. This panel lists the ranges that will be scanned to search for systems to add to the current system set. Add, edit, or delete ranges by using the buttons underneath the panel labeled: Add, Edit, Delete. Scanned IP Addresses. This panel displays the list of systems found in the range of the scan. Exclusion List (on page 16). Not all machines returned by the IP Scanner should be imported into a system set. Certain machines may be already known as untouchable/critical where settings should not be changed under any circumstances. The program provides an editable Exclusion List to enter the NETBIOS names of the machines to exclude. When performing an IP scan, all machines capable of administrative access are added to the "Scanned IP Addresses with administrator level access" list, however, any machines that also appear on the Exclusion List are disabled (unchecked) by default. Unchecked systems will not be exported. To edit the Exclusion List, click on the "Edit" button to the right of the "Exclusion List." Optional Administrator Account. This is the list of alternate administrator accounts. This list can be edited through the menu. Log File. This is where the log of actions is displayed to the screen. Clicking on the "Add" button under the top Panel brings up the dialogue box shown below. The "IP Address Range Type" radio buttons allow entering the address format in either Network Address format or IP Stop/Start format. If using the Network Address format, click on the "Calculate >>" button to see the range of address generated by the subnet of the Network Address. Alternatively, click on the "Analyze Entries" button to examine the address range and report on the class and format of the address range. Clicking on the "Edit" button will display the same dialog, but any changes will be made to the selected entry in the panel. Enable or disable any address range by checking/un-checking the "Enable Entry" check box.

232 IP Scanner Dialog 225 The name of the subnet or address can be entered in the "Description" field. In the middle of the main dialogue you will be buttons to "Set Fields". Highlighting one or more entries in the Subnets list (top list) and then clicking on the "Subnet" or "Skip" buttons will change the subnets and skipped address ranges for all of the highlighted entries. This is useful feature when needing to modify a range of imported network address ranges. The "Select" group of buttons will highlight all or none of the address ranges. The "Enable" buttons allow will enable (check) or disable (un-check) all highlighted entries. This is useful when only scanning a subset of all addresses available is desired. To perform the scan, click on the "Scan Now" button or use the menu option: "Scan Subnet Start." Notice that the "Status" field (lower right) will show the highest IP address currently being

233 IP Scanner Dialog 226 scanned. The "Progress" bar will also show the percentage of addresses processed (or in process). To see when the process is complete, keep an eye on the "Active Threads" number. When this number goes to zero, the scan is completed. A "Log File" list box display any unusual return codes from your systems. One common error code is This error can mean that the local protocol stack is getting confused (this should be corrected in a Microsoft Service Pack). This error can be ignored without any worry since the scanner will continue to retry until the protocol stack gets back into proper operation. When the scan is completed, a list of entries that fully identifies each machine will display. These results can be sorted result by clicking on the column headers. Any entries which should not be exported can be disabled by highlighting entries and clicking on the "Yes" or "No" button in the "Enable" button group below the list of scanned machines. IN THIS CHAPTER IP Scanner Menu - File IP Scanner Menu - Options IP Scanner Menu - Scan Subnet IP Scanner Menu - Report Generator IP Scanner Menu - Alternate Administrators IP Scanner Menu - Exclusion List Vulnerability Testing

234 IP Scanner Dialog 227 IP SCANNER MENU - FILE Options on this Menu: IMPORT SUBNET LIST - Allows you to import a list of subnet addresses to scan. EXPORT SCANNED ENTRIES - Allows you to export a list of systems from the results of the scan. IMPORT SUBNET LIST Import a range of subnets into the scanner for scanning if the file format is organized as: Network Address1 ;Comment Network Address2 ;Comment To import a range, click File Import Subnet List. the file being imported is in the correct format. This will activate the following dialog to confirm that

235 IP Scanner Dialog 228 Click Next. Specify the path to the file containing a list of network addresses. After selecting the file to use, the following dialog which confirms the selection will appear. Click Next. Specify the default subnet mask for each imported network address. The subnet mask helps limit the range of addresses to be scanned. If some of the network addresses are different, go back later and edit the subnet masks.

236 IP Scanner Dialog 229 After clicking on the Next button, a final dialog box will pop-up that will prompt to skip the first, last and gateway (start+1) addresses in the subnet range. Normally leave these check boxes to be unchecked. The state of these check boxes is shown in the "NetSkip" column of the main dialog. Click the Import button to add the subnets to scan to the list. Notice that all of the entries have a check box next to them that is checked. By default, all address ranges are enabled. EXPORT SCANNED ENTRIES Before exporting any of the scanned systems, make sure any systems that should not be exported are disabled (unchecked). To disable any excluded systems, click on the Apply button within the Exclude Systems List area (normally step is not necessary unless the Exclusion List is loaded after completing the scan and the Exclusion List to needs to take effect on the results already in the list. To export, click on the Export button located to the right and button of the list of systems. This may also be done by clicking the File Export Scanned Entries.

237 IP Scanner Dialog 230 The following dialog will now appear: It is possible to export the NetBIOS names or the raw IP addresses to the management set. The NetBIOS name export is the preferred format. The distribution of the scanned machines can be as follows: Automatically creates a new system set where the name is composed of the combination of the number of the subnet/address range in the list combined with a description. This is a good option if a router table with address as the source of the address ranges to scan was imported. Populate the created management sets with those machines that are in the IP range of the management set (same subnet/ip range). Automatically creates a system set for each unique domain/workgroup retrieved from the scanned systems. Use this option to manage machines by domain where the machines are spread across multiple network segments. Import all of the enabled (checked) scanned systems into the current management set. Click on the OK button to perform the export. The operation is very fast. Then go into the current system set or go back to the main program dialog select a different system set.

238 IP Scanner Dialog 231 IP SCANNER MENU - OPTIONS Options for this Menu: THREAD MAXIMUM OVERRIDE - Sets the maximum number of Threads (see "Thread Maximum Override" on page 231) to use for the IP scan. THREAD MAXIMUM OVERRIDE Once a list of IP address ranges to scan is set, the next logical step is to begin the actual scanning. The scanning step uses as many threads up to the maximum (configurable, but 100 by default). This value can be overridden by clicking on the Options Thread Maximum Override. The upside of increasing the number of threads is that a large address range can be scanned quickly. The downside is that stopping a scan can take an extended period of time as all outstanding network requests must finish or timeout. Increasing thread count can also set off an intrusion detection/prevention system. When working with this feature, set the number to 10 for a relatively quick stop time, and increase the number to 1000 or 5000 to scan large ranges of systems. IP SCANNER MENU - SCAN SUBNET Start - Begins the scan of the selected subnet range. Stop - Tells all the threads working on scanning the subnet range to stop. Validate Subnet Table Values - verifies that the given range is able to be scanned. bad input from imported lists of subnet ranges. This would detect IP SCANNER MENU - REPORT GENERATOR Options on this menu: SUBNET IP/ADDRESS RANGE LIST - tells the Report Generator to output the Subnets/IP Address Range List panel including all systems in the list and all columns in the list. IP SCAN RESULTS - tells the Report Generator to output the Scanned IP Addresses panel including all the systems in the list and all the columns in

239 IP Scanner Dialog 232 the list. Note that both of these features make use of the Report Generator (see "Report Generator / Output Settings" on page 205) feature.

240 IP Scanner Dialog 233 IP SCANNER MENU - ALTERNATE ADMINISTRATORS The options for Alternate Administrators are shown in the bottom of the dialog box of the IP Scanner. The List of available alternate administrator accounts is in the lower left. Options from this menu can be used to add, edit, and delete alternate administrators from this list. All previously entered alternate administrator accounts (if any) are used by the IP Scanner. To use the default (current) logon credentials, un-check the Enable Alternate Administrators check box on the right bottom side of the dialog. To add additional alternate administrators, right click on the list in the lower left hand corners or use the Alternate Administrators menu options to add, edit, or delete alternate administrator accounts. If using the wild card of %SYSTEM% for impersonating accounts, the IP address will be prefixed onto the account. This may or may not work with some systems. Generally the prefix information for the system will be safely ignored. ADMINISTRATOR ACCOUNTS MENU - ADD The adding and editing of alternate administrators is handled by a simple dialog shown below. Add - To add another alternate administrator account, fill out the user name and both password fields, then select whether the alternate administrator is local or a domain administrator. Click OK to add to the Alternate Administrator List.

241 IP Scanner Dialog 234 Edit - To edit an alternate administrator account, simply make any changes to the current alternate administrator account and click OK to update the Alternate Administrator List. Delete - A dialog asking for confirmation to delete the alternate administrator account will appear.

242 IP Scanner Dialog 235 IP SCANNER MENU - EXCLUSION LIST Options for this Menu: SYSTEMS EXCLUDED FROM ALL OPERATIONS - Access to the Exclusion List (on page 16). APPLY TO IP RESULTS - Masks the excluded systems from those found in the IP scan. SYSTEMS EXCLUDED FROM ALL OPERATIONS Use the Add and Delete buttons to manually change the Exclusion List. It is possible to provide a text file containing critical systems that should not normally be modified, use the Import List button to load the list. The format of the imported list is simply to put each machine name on a line by itself. VULNERABILITY TESTING One use of the IP Scanner is to find system on the network that are vulnerable to attack using the default administrator setting of built-in administrator account being named "administrator" with a blank password. To perform this test, do a local logon to the host system with a local administrator account that is unique. Make sure that the account chosen for the local logon does not appear on any of the remote machines. Next, enter the alternate credentials of: an account being named "administrator" with its password as blank. Make sure that the check box for Enable Alternate Administrators is checked. Now perform a scan of the network. What is returned is a list of all machines that can be connected to with the default administrator credentials and a blank password.

243 IP Scanner Dialog 236 If these systems are directly connected to the Internet, this scan is especially important to perform.

244 237 ALTERNATE ADMINISTRATORS This feature allows specifying additional sets of credentials that can be used to administer systems in multiple [un-]trusted domains and work groups. The program will automatically use the current login credentials or any of the alternate administrator credentials when it performs operations. When Alternate Administrators are enabled, it is normal to experience delays on some machines during operations because the program must wait for bad credentials to time-out before trying alternate credentials. To access the Alternate Administrators dialog, open any set of systems and click the Alternate Administrators Accounts options from either the Settings menu or ConnectAs menu. In newer versions of Microsoft operating systems, there may be issues using Alternate Administrators to manage any COM+/DCOM application. This is a Microsoft imposed limitation. IN THIS CHAPTER Administrator Accounts Editor

245 Alternate Administrators 238 ADMINISTRATOR ACCOUNTS EDITOR Shown below is the Administrator Accounts Editor Dialog. The top list shows the list of systems in the current set and any previous information recorded about the systems. The lower left of the dialog lists the alternate administrator accounts. The Status field shows the current status of any task that has begun and has not yet completed. The Active Threads box shows how many threads are working on the current task (zero when work is completed/no operation in progress). The progress bar is an approximation of task completion. The Current Logon Account is the account the solution is opened as. The check box titled Enable Alternate Administrators is a program wide option that allows the use of alternate administrative credentials for all connections made through the tool. Alternate administrator accounts can be edited by using the Administrator Accounts Editor menu option. ALTERNATE ADMINISTRATOR ACCOUNTS

246 Alternate Administrators 239 When choosing to edit and or delete one of the entries, first highlight an entry and use either the Edit or Delete menu option. To add a new alternate administrator, use the Add option (Also available through the Alternate Administrators menu item). These options are also available through the context menu (right-click menu) of the Alternate Administrators List. Enter the name of the alternate administrator (use the "domain\account format" or "account" formats) by manual entry, or via the Local or Domain browse buttons. Substitution, such as '%system%' to replace the system name for local account changes to multiple machines may also be used. For example: The local machine name is DCTR1, is a domain controller in domain DOMAIN, and has an account named CustomUser. The target machines each have local accounts named CustomUser, but can also be accessed by the account DOMAIN\CustomUser. By specifying %system%\customuser, the local CustomUser account on each machine is specified, rather than the domain account DOMAIN\CustomUser account on each machine. TESTING ADMINISTRATOR ACCOUNT ACCESS Check the Enable Alternate Administrators check box to use all alternate credentials when accessing systems. To test access, highlight one or more systems (if none are selected, all systems in the list are tested for access) and click on the Test Access button (or go to the menu item Test Access Start). This test will identify which systems are on-line in and which credentials worked with which systems. The testing is completed when the threads counter equals zero.

247 Alternate Administrators 240 The columns for AdminID and AdminPwd show which account/password provided administrator access to each remote system. If there is a number in the ALT# field, this corresponds the ID# of the alternate administrator account that successfully connected. If a dash (-) is in the ALT# field, it means that an alternate administrator account was not used to connect to the computer. If none of the entries worked, this will be reflected in the Access Status field. Lack of appropriate administrator credentials is shown by an error code of 5 - Access Denied. Other error codes (i.e. 53, 1722) usually indicate an off-line system. ENABLE ALTERNATE ADMINISTRATORS Typically, the logon account will be used for connections. To have the program try alternates in case of problems authenticating, set the check box: Enable Alternate Administrators. Be aware that not every feature in the solution may work through alternate administrators as there may be limitations on impersonation imposed by Microsoft. REPORT GENERATOR - ALTERNATE ADMINISTRATORS Export the results of an authentication test using the built in Report Generator (see "Report Generator / Output Settings" on page 205).

248 241 DEFERRED PROCESSING This program provides the ability to schedule operations to occur in the future and/or on a recurring basis. Another very handy feature is the ability of the program to retry all machines that are found to be off-line or return errors. These features come under the heading of "deferred processing". The job process is handled by a service that runs on the host system. The service runs under an administrator level account due to the accesses required on target systems. It is best to use a domain administrator account for this service given that it will be accessing many if not all systems in the network. The program periodically (default is 6 seconds) checks for any jobs that need action as well as if any retry jobs are ready to be tried again. This service is also responsible for scheduling the re-scan of dynamic system sets. The job dispatching works as a queue, so older jobs will always run before newer jobs if more than one job should be dispatched. Only one deferred job will run at a time. Install and start the deferred processing service to permit any deferred processing to take place. The setup and management of the deferred processing service is handled through the Jobs Monitor dialog. The Jobs Monitor dialog can be launched either from the main program dialog or from the systems list dialog. The jobs monitor shows the current jobs; get more details on any job by double-clicking on it. These jobs may be edited, deleted, restarted or paused. The scheduler job log can also be viewed, printed, or erased. The retry policy (wait between retries, which errors to ignore, etc.) can also be set form this dialog. Use the Components option to determine the properties of the installed components. Note: If the system that is running the deferred processing service is restarted, make sure that the scheduler is restarted when the system comes back up. IN THIS CHAPTER Scheduling Options Jobs Monitor Dialog Jobs Monitor Menu Items Editing a Job Job Scheduler Service Installation Job Scheduler Log File Dialog Job Scheduling Check Interval

249 Deferred Processing 242 SCHEDULING OPTIONS The various product operations provide a Schedule feature which allows specification of when the operations should be performed. This can be used to schedule operations to be performed at a later time or to run operations periodically. Shown below is the Job Scheduler dialog. The purpose of the job scheduler is to run a task at some time in the future, or to run at regular intervals in the future. This dialog allows configuring when and how the job should run. It will also allow taking actions to send a Wake on LAN packet prior to the job, or delete the job after its last completion. The

250 Deferred Processing 243 job can be set to Run now, which will cause it to be run through the deferred processor by scheduling the job to happen immediately once and then be rescheduled according to its settings. Scheduled jobs will not run if the deferred processing service has been stopped. If the scheduling service is stopped and started later when many jobs are past overdue, the scheduler service will attempt to start each job in order, one at a time. The top drop down box specifies how often the task should be run and the bottom box specifies the exact time(s). There is also an optional comment field to record notes associates with the specific job. A job can be set to be deleted when it is complete. Wake on LAN packets may be sent before performing a job, just to make sure the target computer is on. The panel on the right shows which operation are being scheduled. Note: For jobs scheduled on all machines in a dynamic set, a dynamic set update is performed just before the job is run. This allows setting up jobs to run on all systems in the set without having to worry about forcing the dynamic set to be current.

251 Deferred Processing 244 JOBS MONITOR DIALOG Shown Below is the Jobs Monitor dialog. The Job Monitor allows viewing and managing jobs that have not yet completed or jobs that are set to run in the future. The Jobs Monitor will also show the status of any jobs that have failed and are being retried. The top list shows the current list of jobs and each job's status. In the dialog shown, there are currently no pending jobs. The columns of the list show the job type, the number of machines the job was originally run on (and the number remaining to complete), the current state of the job, the number of retries attempted, the time and result of the last run, the time of the next attempt, and the status of the job.

252 Deferred Processing 245 The middle section of this window has three parts. On the top left, there is a section which shows the status of the scheduler service. From here, it is possible to adjust the scheduler service state (and the Service Installation dialog (see "Job Scheduler Service Installation" on page 251)), the sleep time between runs, and the general Retry Policy. If the service is running, the numbers in the countdown box will count down to 0. The top right box has controls for manipulating the jobs. Edit Job Properties, pause and resume jobs, delete jobs from the list, or restart jobs from here. The bottom section has controls for the Scheduler s Log File (see "Job Scheduler Log File Dialog" on page 251). Adjust the log file name and location, as well as view and erase the log from here. Note: the scheduler s log file contains entries for the scheduler service operation; entries related to specific jobs are contained in the specific job s log file. Access these log files by editing the particular job. The top list box provides summary information about all of the pending and completed jobs. The entire dialog may be resized or any column may be resized by using the mouse to drag the right border of any column heading. Note: that some of the columns appear to be truncated. This was done on purpose to display the most important information on each line, yet allow the option of opening up partial columns that may contain infrequently used information. The function of each column is described below:

253 Deferred Processing 246 JOBID is the number of each job. The numbers start at and go up to FFFFFFFF counting in hexadecimal (0-9, then A-F before carrying to the next digit). COMMENT is an optional comment which can be given each job. This column has been intentionally narrowed to provide enough space for other columns. The column can be resized by dragging the right side of the column to the right. ACTION is the type of job. This will normally correspond to Get, Set, Replace etc. SYSCNT/TODO provides a count of the number of system in the job and the count of systems yet to be processed. STATE shows the sate of the job. Jobs can be scheduled for a run (sked), retrying (retry), completed (done) and a few other states. RETRIES shows how many times this job had to be restarted to handle a returned error. If any part of a job fails, the entire job is re-run. LAST RUN shows the date and time of the last run of the job. This is useful when tracking jobs that are retrying. LAST ELAPSED shows the amount of time it took for Service Account Manager to complete the last task. RTNERR shows the last returned error code number. Successful jobs always return zero (0) if there were not errors. Ignore certain errors by using the "Retry" dialog to edit the ignore errors list. NEXT RUN shows when the job is scheduled to next run again. STATUS shows the current return status message for the job. Get more details by double-clicking on any job to get detailed information on any system or service in the job. JOBS MONITOR MENU ITEMS FILE Log - Set up, view or print the log file of all the program's activities. JOB View/Edit Details - Edit selected job(s). Restart - Restart the selected job(s). Pause - Pause the selected job(s). Delete - Delete the selected job(s). Retry Policy - Open up and edit the Retry Policy. SCHEDULER SERVICE

254 Deferred Processing 247 Configure - Open up and configure the scheduler service. Sleep Time - Set up the sleep time between checks for scheduled services. COMPONENTS View Components - View components that are used by this program. HELP Contents - Opens this file. EDITING A JOB There are multiple ways to edit an existing job: Double-click the job or highlight a job and clicking on the Edit button in the Job Monitor. IMPORTANT: Clicking Cancel after viewing or editing a job will discard all changes to that job. If the OK button is clicked instead, the job will be immediately rescheduled to run according to it's scheduling settings. Below is a typical scheduled job dialog. At the top of the dialog is the name of the job. There are also see three tabbed pages: Job Systems This is the screen shown below. This page shows the list of systems managed by this job. Use the Add and Remove buttons to add and remove systems from this job. The number of systems that have yet to be completed are listed below each list of systems and labeled #Remaining Work. When a job is created, only the systems selected will be included in that job. Jobs can also be set to run on all systems in a dynamic management set. If the job is running on all systems in a dynamic management set, the systems list for a specific job can be dynamically refreshed each time before the job runs. Note that this will also refresh the system list of the corresponding dynamic management set. The job can also be set to run anytime a new system is added to the system list of the associated dynamic management set. This condition will be met if the system is added manually or if the system is added automatically through a scheduled dynamic management set update.

255 Deferred Processing 248 From this dialog, enabling the Run this job when systems are added to the management set option will specify that any time a new system is added manually or automatically, the job will be run against those systems. Schedule Job Shows when the job is to be run and allows modifying the running criteria. The How often should this job run? determines how often and when this job should be run. The options are: One-Shot (meaning just once), disabled, hourly, days of the week, monthly, or yearly. Delete job on completion will remove the job from the job list upon completion. The Scheduled Run Time box will allow setting the desired time to run the job. The job comment text field allows providing a job

256 Deferred Processing 249 comment that appears in the Job Monitor dialog. scheduled operations. This is the standard scheduling options page for all

257 Deferred Processing 250 Job Log Displays the detailed log information regarding this job. Each job that runs via the deferred processor will maintain its very own text based log. The same file may also be viewed using Windows built-in text editor application (via View Log File button) as well as print the file (via Print Log File button). The file size is displayed and the file can be deleted if desired. This log file will contain any job specific error messages related to the execution of this job. It will show when the job ran, who started it, and status messages indicating what it is doing and how long it took to complete. This log will also contain any error messages that occur while the job was running.

258 Deferred Processing 251 JOB SCHEDULER SERVICE INSTALLATION Shown below is the Scheduler Service Installation dialog: The status display shows the current status of the scheduler service. Use the refresh button to cause the program to query for the status manually. The start and stop buttons control the startup and shutdown of the service. The path to the scheduler service may be changed from this dialog. Before the service can run, it needs to be installed. When installing the service, the installation dialog will prompt for the account to run the service under. To later remove the service, use the Remove button. Note: The account the service runs as will be granted the necessary rights to run as a service if it does not already have these rights. The relevant rights are Log On as a Service. Remove will not revoke any rights which are granted as a result of this operation. When installing the service, it will be installed as a regular service on the host machine under the name of this application. The service can also be configured via the Service Configuration control. To reconfigure the service through the tools dialogs, first remove the service, and then use install. At this time, reconfigure is functionally equivalent to install. JOB SCHEDULER LOG FILE DIALOG The Job Scheduler Log File dialog is shown below. This can be accessed through the File menu in the Job Scheduler dialog. This dialog allows the user to view the log file in a text editor, print the log file, or delete the log file. It also displays the size and location of the log file.

259 Deferred Processing 252 The log file for the deferred processor service will contain messages related to the operation of the scheduling service. It will show service startup, stop, and job dispatches as well as abnormal return codes from dispatched jobs. For log information pertaining to a specific job, look into specific job log file by editing the job and browsing to the log tab. JOB SCHEDULING CHECK INTERVAL The job scheduler periodically checks all existing jobs to determine if it is now time to start their job. The period between polls is set in the Sleep Max field. Edit this time by clicking on the ellipses ( ) button to the right of the Sleep Max field. The default time is 60 seconds. Between checks, the scheduler is in a sleep state and will not dispatch jobs. Only one job will be dispatched at a time.

260 253 REMOTE CONTROL The remote control support allows integration with VNC and Terminal Services to provide remote control for systems. IN THIS CHAPTER Setting up VNCPass Open VNC Connection VNC Options Import Settings from a.rcm File Install/Remove VNC on System Start/Stop/Restart the VNC service Set VNC Password Troubleshooting VNC sessions SETTING UP VNCPASS Before using VNC functionality, first download and install the open source VNCPass application from Lieberman Software's website at This separate application will allow getting and settings options for VNC. This application will also allow launching VNC and starting a logon session on a remote machine. OPEN VNC CONNECTION This option will attempt to create a VNC connection with all selected systems. By default, the application will attempt to connect to the VNC service running on the remote machine. If the service cannot be found, it will attempt to copy the service to the remote machine, install the service, and start the service. The connection will then be retried. During this process, if required information cannot be found (such as a path to the service or any of the required files), a message box will be displayed to inform the user of the missing components. If copying VNC to a remote system, make sure to specify a logon password for the service. If the password is left blank, VNC will not allow connections using the logon password mechanism. Open VNC Connection also does not require knowing the password for the VNC installation on the target system. The VNC connection password can be gathered as part of the connection process.

261 Remote Control 254 If a different version of VNC installed on the local system than the version that is running on the remote system, VNC may not be able to connect. The easiest way to get around this issue is to remove the remote version and push out the local version to remote systems when you attempt to make connections. VNC OPTIONS To configure the VNC options, go to Remote Connections VNC VNC Options.This dialog is used to fill in the required information for pushing VNC to a remote system and connecting to it. These options are filled in automatically, but you may need to be adjusted. The case where this dialog will be necessary is if VNC has been installed and it cannot be found. In the previous case, UMP will prompt to locate the required files when a VNC connection is attempted. In the dialog shown, the VNC Service Remote Push Settings section provides the location of the VNC service that will be copied to remote systems if VNC is not found. Along with the full path the service EXE file, also specify any files on which that service is dependent. These dependent files are filled in by default, but different instances of VNC which depends on different files. In all cases, default files must be located in the same directory as the service EXE file. If attempting to add files to the list that are not in the same location, a warning will appear and then those files which cannot be found will be removed from the list of dependent files. The Local Viewer Settings is the full path to the client viewer used to connect to VNC on the remote systems.

262 Remote Control 255 The VNC Session Password that is required in order for clients to open sessions with the VNC service. By default, existing passwords will not be overwritten when connecting to pre-existing instances of VNC on remote systems, this password is used when copying the service to a system that does not already have it. It will still be possible to access systems for which no password has been set as long as administrative access to that system is available. Select to use a fixed password or assign a random password to each instance of the VNC service. VNCPass provides a randomization of this password for increased security so that each system will receive a different random password for its VNC service. There is no need to know this VNC password because administrative access allows the process to retrieve it on demand. The Advanced button provides additional pages with more fields to fine tune:

263 Remote Control 256 The installation parameters of the VNC service when pushing VNC out to remote systems. The VNC application settings that will be applied to new installs of the VNC client. Actions to take before and/or after the VNC session, such as installation and removal or service start and stop. Additional viewer command line parameters or a customer viewer application path. Application specific VNC parameters for optimal use of different versions of VNC. VNC Service - This page allows configuring the service settings for copying to and installing the VNC service on remote systems.

264 Remote Control 257 The Remote Service Installation Settings all deal with copying the VNC service to the remote system if the service cannot be found. If Install Remote Service is unchecked, then VNC will not be installed on remote systems. The Service Short Name and Service Display Name fields are both used for installing the service on the remote system. The Service EXE Name field is the name of the executable file that will be copied to the remote systems and run as the VNC service. This field can be set manually or is set automatically when browsing to the file using the "Name and Path to Service EXE" edit field. The Service Startup Type options also deal with installing the service on the remote system. Using the file list, specify any additional files the service EXE is dependent on to be copied along with the service. Finally, the Service Destination Location field specifies the remote folder to which the service EXE file and any dependent files will be copied to on the remote system. The Viewer Application Name and Location field refers to the path and name of the viewer application on the local system that will be used to make the connection to the service on the remote system.

265 Remote Control 258 VNC Settings - This page allows setting the VNC options for new installs of the VNC service. options can also be used to overwrite the options for existing instances of VNC. These The top options tune which events on the remote system cause the screen to redrawn. If Allow Socket Connections is un-checked, the VNC service on the remote machine will not allow clients to make socket connections. Configure which port the service uses for connections. The Connection Password Settings section controls the client connection password to the VNC service. This password must be entered in order to start a VNC session with a remote system. VNC does not allow blank passwords.

266 Remote Control 259 The Random Password option allows creating a secure, pseudo-random, un-typeable password for each installation of the VNC service on remote systems or create random passwords that can be entered via keyboard. Auto-Configuration - This page shows the options that can be taken before starting a VNC session and directly after ending a VNC session. The options at the top allows configuration of whether or not the VNC service will be copied out to remote systems, started before a connection is made, and stopped and/or removed after a session is ended.

267 Remote Control 260 VNC Viewer - On this dialog, set the path to the VNC viewer application. This is the path on the local system that will be used to connect to the VNC service running on remote systems. Using this page, supply additional command line arguments to the viewer application on launch. These command line arguments will be used every time a VNC connection is opened from within our tool.

268 Remote Control 261 Application Preferences - These settings customize how VNC interacts with specific applications on the remote system. These registry settings can be used to define custom behaviors for the VNC viewer client interacting with specific applications. For example, the VNC viewer normally hooks the paint method, but for an application like the system clock, specify for the VNC viewer to refresh on the OnTimer call instead. Some versions of VNC ship with registry files for specific application configuration. See the VNC documentation of the VNC distribution for more details about details of application preferences.

269 Remote Control 262 IMPORT SETTINGS FROM A.RCM FILE This option allows importing previous settings from a.rcm file. This format is used to store VNC connection settings. Just browse to the file and VNC settings will be imported from the existing format. Check the settings using the VNC Options menu item. INSTALL/REMOVE VNC ON SYSTEM These options allow installing or removing the VNC service from selected systems. If installing the service, the settings specified through VNC Options will be used to configure the service. If one or more required components cannot be found, a notification as to which components are missing will be displayed. Use the VNC Options Pages to locate these components. The default settings will assume default paths for a VNC install. START/STOP/RESTART THE VNC SERVICE Start, stop, and restart the VNC service running on remote systems. This can be useful when changing the password or explicitly enabling or disabling VNC. Some changes to options in VNC require a restart of the VNC service to take effect (like changing passwords). SET VNC PASSWORD This dialog allows the password to be set for VNC services running on one or more systems at the same time. First, select one or more target systems. Then go to RemoteConnection VNC Set VNC Password. Either supply a fixed password or choose to generate a random password for each instance of VNC. By

270 Remote Control 263 default, the random passwords that are generated cannot be typed on a keyboard, which will prevent non-administrators from being able open a VNC session through the VNC client logon window. It is also possible to generate typeable passwords but un-typeable is the default for increased security. It will always be possible to open a VNC session on the system as long as credentials are supplied that are valid administrator credentials on that system (whether the password is typeable or not). A service must be restarted after updating a password. Choose to restart the VNC services after the password change, as the password change will not take effect until the service is restarted. Keep in mind that restarting the service will end any active sessions. Note: If supplying a blank password for VNC, VNC will not permit a connection. Depending on the version of VNC, it may use alternate methods to authenticate, but a blank password will not work. Specifying a blank password may also cause a failure when opening a VNC connection to a remote system. TROUBLESHOOTING VNC SESSIONS Here are some common problems when trying to open a VNC connection to a remote system. 1) Authentication Error - Make sure that the remote instance of VNC has a password set. To do this, you can shutdown the VNC service, set the connection password to a known value, and restart the service. Then try to connect again. 2) Failed to Connect - Make sure the remote system and the local system are running the same version of VNC.

271

272 265 PROGRAM SETTINGS This section discusses this product's various program settings. IN THIS CHAPTER General Options Logging Options Registration Dialog License Token Assignment Application Components About Logon Information Dialog Security Lockdown Settings GENERAL OPTIONS The Options dialog is accessed from the Settings menu of the main dialog or from with a systems list.

273 Program Settings 266 Shown below is the Options dialog. WINDOW FADE - Specifies whether or not to fade in selected dialogs in the program (only available in Windows 2000 and above). SHOW SPLASH SCREEN ON STARTUP - Specifies whether or not the program splash screen is displayed. Show highlights for suggested next actions - specifies to show visual queues as to what fields need to be filled in. DISPLAY OS VERSION AS VERSION NUMBER - Specifies whether the OS version number is shown in the system information rather than the OS name (Windows 5.1 as opposed to Windows XP for example). ALWAYS TRY TO FIND IP ADDRESS - System names can be NetBIOS names, IP addresses, or DNS style names. DNS style names must be resolved to IP addresses before operations can be performed. By default User Manager Pro can also resolve NetBIOS names to IP addresses; uncheck to disable this resolution. TRY TO FIND MAC ADDRESS - With this option enabled, User Manager Pro attempts to retrieve the MAC address for each system using a series of steps. Disabling this option may increase the speed of operations. User Manager Pro requires MAC Addresses to do Wake on LAN.

274 Program Settings 267 TRY TO FIND IP SUBNET AND DHCP - User Manager Pro attempts to find the IP subnet for each resolved IP address, and the DHCP setting for its network interface. This process requires several remote accesses, disabling this option can enhance operation speed. DHCP and subnets are only a requirement for Wake on LAN. ALLOW IP ADDRESS RESOLUTION - When system names are resolved through DNS, the system name is matched to an IP address. Depending on local network configuration, a domain suffix may be automatically appended to the system name during resolution. Depending on the network DNS configuration, this may not be the correct IP address for the system queried for. For example, if the UMP host machine is configured to be in a domain, and the DNS server for that domain does not have a corresponding record and resolves all unknown names to another machine (default system), the UMP system name might resolve to the IP address of the default machine. Fortunately, the DNS server identifies the name it resolved, and this "error" (as described) only occurs when domain suffixes are automatically appended. So, if system names are resolving incorrectly, it is probably indicative of a DNS configuration error. If this condition cannot be fixed and it is important for User Manager Pro to have correct IP addresses for systems, disable this option. This will cause User Manager Pro to ignore the resolved IP address when the name resolved was not identical to the name queried for. Example: The system WORKSTATION is configured to automatically append a domain suffix (WORKSTATION.domain.com). The DNS server for domain.com has a host wildcard entry for the suffix domain.com (*.domain.com) that resolves to the system WILDCARD.domain.com. If DNS name resolution is the first name resolution method attempted (which is the default), the operating system will attempt to resolve WORKSTATION.domain.com. This will "succeed" (because of the wildcard entry) but will return the address and name of the WILDCARD.domain.com. To prevent this from happening, uncheck the Allow IP address resolution box. SHOW RESOLVE BY OPTIONS - This option will display the Resolve By setting. The resolve by type is stored on a machine by machine basis. After UMP has a NetBIOS name and IP address for a machine, use these options to change how the systems are differentiated in a management set. This option is used when there are duplicate NetBIOS names for machines (User Manager Pro can see multiple domains and subnets at once) to differentiate between systems by using the IP address. LOGGING OPTIONS Before using the product, examine the log file settings. The log file settings are found at Settings Logging Options. By default, the log file will be created in the location recommended by Microsoft for application log files. It may be preferable to select an alternate location for log files, simply specify a new log file location/name using the ellipses button.

275 Program Settings 268 There are two thresholds of logging available: extended and normal. The extended (verbose) mode includes normal log information as well as information on the internal phases the product goes though while performing changes and logging. In normal operation extended logging is not necessary. The extended logging information is useful for debugging should it become necessary. The log file is always appended too. It is always safe to read/copy the log file when changes are not in progress. Log Statistics - By checking the Log Statistics check box, the log will receive the pre and post transaction counts for managed items. This information will be logged to the log file. VIEW - View the log in text editor. PRINT - Print the log file. DELETE - Delete the log file. LOG SIZE - Displays the current size of the log file in bytes. WINDOWS EVENT LOG - These options tell the program to also log to the computer's Application Event log. The remote computer is the computer that is being changed by the program and the local machine is the machine that the program is running on. The Windows Application Event Log is a record of program activity and can be useful in tracking operations performed by this tool which would reflect changes to the network configuration or security.

276 Program Settings 269

277 Program Settings 270 REGISTRATION DIALOG Shown below is the Registration dialog. dialog (not the Manage Systems dialog). This dialog can be accessed through the Help menu in the main This dialog is also shown as a part of the installation process. The serial number entered is customized specifically to the machine that is running the software, not the machines being managed. The number of systems the license allows management of and the name of the system that is allowed to run this software is embedded in the serial number. If the software has been running in demo mode and a commercial license is purchased, send Lieberman Software the machine name (which is located on the About dialog screen). We use this to generate the appropriate serial number. If more systems must be managed or the tool needs to be moved to a machine with a different name, contact Lieberman Software for a new serial number. USE REMOTE LICENSE Multiple administrators can share a single license from multiple workstations or servers. This option does not share system set or system information (each system set and system information is maintained

278 Program Settings 271 locally). General application data is also not shared. This essentially means that each instance of the install is a complete version which maintains its own separate program data. If needing to transfer set information from one instance of the tool to another, use the Import/Export (see "Import/Export Systems List" on page 28) features for system lists or use Import Settings (see "Import Settings from Remote License Server" on page 54) to import program settings from a Remote Licensed Server if available. To enable the use of a shared license key, a commercial version of the software must be installed and accessible. Go to the registration screen and set the check box: Use Remote License. It is also possible to connect as an Alternate Administrator (see "Administrator Accounts Editor" on page 238). Enter the name or browse to find the name of the machine that has the license. Enter the name of the licensed machine in the Remote Licensed Machine Name field. Finally, click on the OK button. Note: On the remote system, the provided credentials must have administrative credentials, otherwise remote licensing will not work. In order to continue using a remote license, the licensed system must always be online and accessible. IF PLANNING TO INSTALL THE SOFTWARE ON A LAPTOP OR MACHINES THAT CANNOT BE NETWORKED TOGETHER TO SHARE THE COMMERCIAL KEY, IT WILL BE NECESSARY TO OBTAIN A SEPARATE LICENSE KEY FOR EACH DISCONNECTED SYSTEM. Note: Remote Licensing will not function without a commercial key being installed on the licensing server. LICENSE TOKEN ASSIGNMENT When a commercial version of the product is purchased, a serial number will be sent which will allow managing a fixed number of systems. Use the following dialog to manually assign/release the purchased tokens to/from systems. Alternatively, simply perform operations on systems, whereupon one or more available license tokens will be assigned automatically to each system being managed (refresh does not cause a system to be licensed). The primary use of this dialog is to release tokens from abandoned systems that are no longer part of the network so those tokens can be reassigned to new systems on the network.

279 Program Settings 272 To access the License Token Assignment Dialog, click Help License Keys in the main dialog. License tokens are assigned to machine names. This means that if a system is decommissioned and is replaced with new hardware but give it the same name, it may use the same license; there is no reason to release and re-assign the license. In the systems list on this dialog, the "Licensed" column displays the current licensing status of a machine as either YES or NO. The "#Rekeys" column displays the number of times a machine has had its license released and re-assigned. The "InAGroup" column displays whether or not a system is found in any

280 Program Settings 273 systems list as either "Active" if it is in a management set, or "Abandoned" if it is not in any management sets. As stated previously, if retiring a system but the replacement has same exact NetBIOS name, it is not necessary to release the license. However, if the NetBIOS will never be managed again and there is a need to reclaim licenses, select those systems here and elect to RELEASE their license. Whenever a machine's token is released, the "Rekeyed Systems" counter will increment for that system. If the name is later re-added and the token re-assigned, the "Rekeyed Systems" field will decrement and the "#Rekeys" column for the given system will increment. If this process is repeated more times than the allowed number of "Maximum Rekeys", the system will be "Locked-Out" of management. An easy way to find systems that should likely have licenses removed from them from is to sort by the "InAGroup" column and look for systems that are abandoned. Abandoned systems are not found in any systems list. Another way to manage license tokens is to let User Manager Pro and Lieberman Software do it automatically. To do this, select the "Automatically manage license tokens" option at the top of this dialog. This will cause User Manager Pro to use port 80 (http traffic) to communicate with Lieberman Software servers for the purpose of automatically managing license token assignment. The information that User Manager Pro sends is limited to information that has already been provided, machine name, license information, as well as the names of the systems being managed and last access information. Use of this feature is not necessary. Lieberman Software does not share this information with anyone. Blocking of port 80 traffic will also cause this feature to not work. IMPORTANT: License tokens are currently assigned for each unique system name in the System column of the main dialogue. If the same system listed multiple times by different names (ie: by NetBIOS name and by IP Address), multiple tokens will be used for the same system. To ensure that this does not happen, use the following steps when adding systems using multiple naming conventions: 1) Add the systems to the management set. 2) Select all the systems, then select the Refresh Info (Get Role/Version) operation (this does not cause systems to be licensed). 3) From the main dialog's SystemsList menu, select Remove Duplicate Systems. Export the list of licensed systems by clicking the EXPORT button and using the product's built-in Report Generator (see "Report Generator / Output Settings" on page 205).

281 Program Settings 274 APPLICATION COMPONENTS There are three dependent components that are included with User Manager Pro. They are the scheduling service used for scheduling deferred jobs, the deferred processing service used by the scheduling service to actually perform the work, and the remote agent service, which is pushed to remote systems as a part of a file permissions report operation. The component status can be accessed through the Settings Application Components menu from the management set dialog or through the Components menu in the Jobs Monitor. Normally all of the components of this program are contained in the same directory determined at the time of installation. If the components were moved post installation, the Manage Application Components dialog is provided to set the new location of the components (if files are moved post installation without reinstalling the application, remove the service, move the components, set the new locations in the components dialog, and install the service again.

282 Program Settings 275 ABOUT This dialog contains version information and machine specific licensing information based on the installed serial number. After purchasing User Manager Pro and using the Register dialog to update the serial number, this screen will be updated to show the purchased licensing information. If the information on this screen does not conform to what has been ordered, please contact Lieberman Software immediately for a corrected serial number.

283 Program Settings 276 LOGON INFORMATION DIALOG The Logon information shows the current logon credentials and program environment variables. These current logon credentials can be supplemented using the Alternate Administrators (see "Administrator Accounts Editor" on page 238) feature to perform operations within the product. Shown below is the Logon Information dialog. USER NAME - The current user's login name. SYSTEM NAME - The name of this system. ROLE - The role of this system. LOGON DOMAIN - The name of the domain that this machine is logged into.

284 Program Settings 277 DEFAULT DOMAIN - The name of the domain that this machine is a part of. LOGON DC - The name of the machine that is the domain controller for this machine. OP SYS VERSION - The current version of the operating system that is running on this machine. Note that version 4.0 is Windows NT 4.0, version 5.0 is Windows 2000, and version 5.1 is Windows XP, version 5.2 is Server 2003, 6.0 for Server 2008 or Vista, 6.1 for 7 or Server 2008 R2, 6.2 for 8 or Server 2012, 6.3 for 8.1 or Server 2012 R2. ADMINISTRATOR ACCOUNT - Whether or not the current user account an administrator account. LAUNCH.EXE - The path to the file that launched this instance of the product. RIGHTS - Any additional rights granted to the current user beyond rights inherited by groups to which the current user belongs. SECURITY LOCKDOWN SETTINGS Using the Security Lockdown Settings dialog, certain features of User Manager Pro can be locked out so that other administrators who use the tool will have limited access.

285 Program Settings 278 To access the Lockdown Settings, go to the About (on page 275) dialog and Ctrl+click on the Product Banner. UMP will prompt for a password.

286 Program Settings 279 The default password is "ACKNAK", in all capital letters. Security Parameters dialog will open. Once the password is entered, the Lockdown The check boxes on the left side represent features within the program that can be disabled. checked, each feature will be disabled throughout the program to all users. Once The Lockdown Log File Settings locks the log file settings at their current settings. This will disable other users from disabling the log, changing the log file path or name, and performing unrecorded actions using User Manager Pro. The Disable Remote Shutdown allows disables access to the remote restart/shutdown features in User manager Pro. The Change Password button will change the Lockdown password to enter this dialog.

287

288 281 REVISION HISTORY The User Manager Pro revision history can be found online at or by using the Revision History menu item located on the Help menu from the main UMP dialog.

289

290 283 INDEX A ABOUT 290 ABOUT 287 ACCOUNTS 159 ACTIVE DIRECTORY SPECIFIC FIELDS 89 ACTIVE DIRECTORY SPECIFIC FIELDS 104 ADD FROM ACTIVE DIRECTORY 11 ADD FROM ACTIVE DIRECTORY 25 ADD FROM DOMAIN SYSTEMS LIST 11 ADD FROM DOMAIN SYSTEMS LIST 18 ADD FROM IP SCANNED RANGE 29 ADD FROM NETWORK BROWSE LIST 11 ADD FROM NETWORK BROWSE LIST 20 ADD FROM SHELL NETWORK BROWSE LIST 11 ADD FROM SHELL NETWORK BROWSE LIST 22 ADD SYSTEMS MANUALLY 11 ADD SYSTEMS MANUALLY 23 ADDING MULTIPLE USERS 114 ADDING SYSTEMS TO A DYNAMIC MANAGEMENT SET 7, 12, 14, 50 ADDING SYSTEMS TO A DYNAMIC MANAGEMENT SET 32 ADDING SYSTEMS TO A SIMPLE MANAGEMENT SET 7, 8, 12, 14, 63 ADDING SYSTEMS TO A SIMPLE MANAGEMENT SET 17 ADMINISTRATOR ACCOUNTS EDITOR 283, 288 ADMINISTRATOR ACCOUNTS EDITOR 250 ADMINISTRATOR ACCOUNTS MENU - ADD 244 ALTERNATE ADMINISTRATORS 249 APPLICATION COMPONENTS 286 AUDIT SETTINGS REPORT 197 B BACKUP INTERNAL DATABASE TO REGEDIT FILE 57 BACKUP MANAGEMENT SETS 57 BATCH ADD 114 BATCH DELETE 119 BATCH OPERATIONS 110 BATCH UPDATE 117 BROWSE OPTIONS 25 BROWSE OPTIONS 26 C CHANGE MANAGEMENT SET PROPERTIES 49

291 Index 284 COMPUTER ACCOUNTS REPORT 161 CREATE MANAGEMENT SETS 8 CREATE MANAGEMENT SETS 12 D DATASOURCE EXAMPLES 112 DATASOURCE EXAMPLES 113 DEFERRED PROCESSING 83 DEFERRED PROCESSING 253 DELETE INTERNAL DATABASE 59 DELETE MANAGEMENT SET 59 DELETING MULTIPLE USERS 119 DESCRIPTION OF THE PERMISSIONS COLUMN FORMAT 180 DYNAMIC SET ACTIVE DIRECTORY PATHS 38 DYNAMIC SET DATA SOURCES 43 DYNAMIC SET DOMAINS 36 DYNAMIC SET EXPLICIT EXCLUSIONS 46 DYNAMIC SET EXPLICIT INCLUSIONS 45 DYNAMIC SET FILTER OPTIONS 47 DYNAMIC SET IP ADDRESS RANGES 38 DYNAMIC SET NAME AND COMMENT 35 DYNAMIC SET OPTIONS 48 E EDITING A JOB 259 SERVER SETTINGS OVERVIEW 216, 221, 231 SERVER SETTINGS OVERVIEW 221 EVENT LOG ENTRIES REPORT 139 EVENT LOG ENTRIES REPORT 164 EVENT LOG SETTINGS REPORT 163 EVENT LOGS 163 EXCHANGE MAILBOX CREATION 89 EXCHANGE MAILBOX CREATION 108 EXCLUSION LIST 235, 246 EXCLUSION LIST 16 EXPORT SCANNED ENTRIES 240 EXPORT SETTINGS TO REMOTE LICENSE SERVER 58 EXPORT SYSTEM SETS TO A COMMA 57 F FILE LOCKOUT 173, 196 FILE LOCKOUT 151 FILE OPERATIONS 151 FILE PERMISSION (NTFS) REPORT 174 FILES 167 FILES REPORT 169 G GENERAL OPTIONS 277 GENERATE REPORT ON SYSTEMS IN MANAGEMENT SET 76

292 Index 285 GET INFO NOTES AND TIPS 209 GLOBAL GROUP MEMBERS REPORT 190 GLOBAL GROUPS 126 GLOBAL GROUPS REPORT 188 GLOBAL MEMBERS 131 GROUPS 187 H HIGHLIGHT CONNECTED MACHINES 73 HIGHLIGHT LISTS 135 HIGHLIGHT LISTS 71 HTML EDIT DIALOG 216 HTML EDIT DIALOG 219 I IMPORT FROM A COMMA-DELIMITED FILE 51 IMPORT FROM A SCANNED IP RANGE 56 IMPORT FROM ODBC DATASOURCE 52 IMPORT MANAGEMENT SETS 51 IMPORT SETTINGS FROM A.RCM FILE 274 IMPORT SETTINGS FROM REMOTE LICENSE SERVER 283 IMPORT SETTINGS FROM REMOTE LICENSE SERVER 56 IMPORT SUBNET LIST 238 IMPORT/EXPORT SYSTEMS LIST 283 IMPORT/EXPORT SYSTEMS LIST 31 INSTALL/REMOVE VNC ON SYSTEM 274 INSTALLED SOFTWARE 191 INSTALLED SOFTWARE REPORT 192 INTRODUCTION 1 IP SCANNER DIALOG 29 IP SCANNER DIALOG 233 IP SCANNER MENU - ALTERNATE ADMINISTRATORS 244 IP SCANNER MENU - EXCLUSION LIST 246 IP SCANNER MENU - FILE 238 IP SCANNER MENU - OPTIONS 242 IP SCANNER MENU - REPORT GENERATOR 242 IP SCANNER MENU - SCAN SUBNET 242 J JOB RESULTS DIALOG 79 JOB RESULTS DIALOG 214 JOB SCHEDULER LOG FILE DIALOG 257 JOB SCHEDULER LOG FILE DIALOG 263 JOB SCHEDULER SERVICE INSTALLATION 257 JOB SCHEDULER SERVICE INSTALLATION 263 JOB SCHEDULING CHECK INTERVAL 264 JOBS MONITOR DIALOG 256 JOBS MONITOR MENU ITEMS 258

293 Index 286 L LICENSE AGREEMENT 3 LICENSE TOKEN ASSIGNMENT 71 LICENSE TOKEN ASSIGNMENT 283 LIMITED WARRANTY 4 LOCAL GROUP MEMBERS REPORT 188 LOCAL GROUPS 189 LOCAL GROUPS 124 LOCAL GROUPS REPORT 188 LOCAL MEMBERS 128 LOCAL SECURITY POLICY REPORT 198 LOGGED ON ACCOUNTS REPORT 162 LOGGING OPTIONS 279 LOGON INFORMATION DIALOG 288 M MAIN DIALOG 7 MAIN DIALOG PULL-DOWN MENUS 8 MANAGE SYSTEMS DIALOG 61, 62 MANAGE SYSTEMS DIALOG PULL-DOWN MENUS 64 MANAGE SYSTEMS DIALOG SYSTEM LIST COLUMNS 68 MANAGED SYSTEMS LISTS 11 MANAGING AUDITING 138 MANAGING EVENT LOG SETTINGS 146 MANAGING FILES, APPLICATIONS, AND UPDATES 147 MANAGING POLICIES 136 MANAGING RIGHTS 134 MANAGING THE REGISTRY 140 MANAGING USERS 99, 206 MANAGING USERS 80 MANAGING WINDOWS GROUP MEMBERS 128 MANAGING WINDOWS GROUPS 124 MAPPING DYNAMIC USER FIELDS TO DATA 115, 118, 119 MAPPING DYNAMIC USER FIELDS TO DATA 120 MISCELLANEOUS OPERATIONS 153 MULTI-USER OPERATIONS 84 MULTI-USER OPERATIONS 110 N NETWORK SHARES REPORT 168 NOTES ON RESOURCE USAGE 185 NTFS REPORTING DIALOG 176 O OPEN VNC CONNECTION 265 OPERATIONS 79 OTHER REPORT TYPES 206 OVERVIEW 1

294 Index 287 P PERFORMANCE NOTES 2 PHYSICALLY IDENTIFY MACHINE(S) 75 POLICIES FIELDS 136 POST-GENERATION ACTION 220 PREREQUISITE KNOWLEDGE 2 PREVIEW MULTI-USER CHANGES 116, 118 PREVIEW MULTI-USER CHANGES 122 PROGRAM SETTINGS 277 PUSH/RUN APPLICATION 147 R RANDOM PASSWORD CHANGE AUTOMATIC REPORT GENERATION 99 RANDOM PASSWORD GENERATOR 87, 206 RANDOM PASSWORD GENERATOR 90 RANDOM PASSWORD GENERATOR OPTIONS 93 RANDOM PASSWORD RECOVERY 94 REBOOT AND ABORT REBOOT 154 REFRESH INFO (GET ROLE/VERSION) 71 REGISTRATION DIALOG 282 REGISTRY 194 REGISTRY EDIT 140 REGISTRY PERMISSIONS 143 REGISTRY VALUES REPORT 194 REMOTE CONTROL 265 REMOVE SYSTEMS FROM MANAGEMENT SET 72 REPORT FILE OUTPUT TYPE 218 REPORT GENERATOR / OUTPUT SETTINGS 72, 76, 95, 99, 212, 214, 233, 243, 252, 285 REPORT GENERATOR / OUTPUT SETTINGS 215 REPORT RESULTS 207 REPORTING OPTIONS 212 REPORTING OPTIONS 212 REPORTING TYPES 63 REPORTING TYPES 156 RESTORE INTERNAL DATABASE FROM A REGEDIT FILE 56 RETRIEVING THE DATA USING THE DATABASE 53 RETRIEVING THE DATA USING THE DATABASE 55 REVISION HISTORY 293 RIGHTS FIELDS 135 RIGHTS REPORT 198 S SCHEDULED REPORTING 211 SCHEDULING OPTIONS 254 SECURITY 197 SECURITY LOCKDOWN SETTINGS 289

295 Index 288 SELECTING MACHINES 71 SEND MESSAGE 153 SEND WAKE ON LAN PACKET 154 SET THE DATABASE CONNECTION STRING 53 SET THE DATABASE CONNECTION STRING 54 SET VNC PASSWORD 274 SETTING UP VNCPASS 265 SIMPLE REPORT DISPLAY 182 SIMPLE REPORT WITH DACL ENTRIES / CUSTOM REPORT DISPLAY 179 SMTP SETTINGS General 221 Logging Options 221 Outgoing Server 221 SMTP SETTINGS GENERAL 222 LOGGING OPTIONS 232 OUTGOING SERVER 226 SPECIFYING THE DATASOURCE 111 SQL STATEMENT 53 SQL STATEMENT 55 START/STOP/RESTART THE VNC SERVICE 274 STOP CURRENT OPERATION 72 SYSTEM NAME RESOLUTION 68, 69 SYSTEM NAME RESOLUTION 70 SYSTEMS EXCLUDED FROM ALL OPERATIONS 246 T THREAD MAXIMUM OVERRIDE 242 THREAD MAXIMUM OVERRIDE 242 TROUBLESHOOTING VNC SESSIONS 275 TRUSTS REPORT 200 U UPDATE MANAGEMENT SET 72 UPDATING MULTIPLE USERS 117 USE REMOTE LICENSE 282 USER ACCOUNT REPORT 159 USER ACTIONS 83 USER FIELDS 84 USER FIELDS AND ACTIVE DIRECTORY 105 USER NAME 86 USER NAME 101 V VIEW MANAGEMENT SET UPDATE LOG 72 VNC INSTANCES REPORT 193 VNC OPTIONS 266 VPN\DIAL-IN SETTINGS 89 VPN\DIAL-IN SETTINGS 102

296 Index 289 VULNERABILITY TESTING 246 W WINDOWS UPDATES 191 WMI - WINDOWS MANAGEMENT INSTRUMENTATION 201 WMI PROPERTIES REPORTING 202