Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Scripting Server for Domain Automation Tasks

Published byΛαύρα Δασκαλόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "A Scripting Server for Domain Automation Tasks"— Presentation transcript:

1 A Scripting Server for Domain Automation Tasks
Christian Trachimow, DESY 5/13/2019 The DESY WindowsNT Group

2 Domain administration tasks
User management delegated to group administrators and „user service“ set passwords, create, move, delete, archive,... Group management define composition System management query computers for special properties license management different group are taking part of this processes But: most jobs can be done only with domain admin privileges Need a server, that holds scripts, controls security and executes scripts 5/13/2019 The DESY WindowsNT Group

3 Requirements for a Scripting Server
Scripts should be stored on the Scripting Server Scripts can be triggered by remote machines Secure connections with remote machines (Encryption) Scripts must be run with DA privileges (Impersonation) Identify which users submits the execution request (Authentication ) Define which groups are allowed to launch the script (Security control) Easy way of launching scripts Logging all operations (Event log) 5/13/2019 The DESY WindowsNT Group

4 Why Transaction Server ?
Only used as DCOM repository Impersonation: can be defined for a package (collection of objects) Encryption: DCOM network security: „packet privacy„ Authentication is done by DCOM: NTLM Easy way of invoking scripts (DCOM)  Implement a COM object on MTS Read config file identify calling user and check if user is allowed .. Execute script and return standard output 5/13/2019 The DESY WindowsNT Group

5 The DESY WindowsNT Group
Basic Idea 1 Store all script on the tranaction server (MTS) moveuser.pl setpasswd.vbs movehome.pl Edit config file: xml format 2 Alias Name Script location Role Pass calling user MoveUser Perl.exe moveuser.pl User Support No Passwd Cscript.exe setpasswd.vbs MoveHomedir Perl.exe movehome.pl Domain Operator 5/13/2019 The DESY WindowsNT Group

6 The DESY WindowsNT Group
Basic Idea (cont.) 3 Define Roles on Transaction Server User Support: desynt\usg desynt\Domain Admins Domain Operators: desynt\Domain Admins desynt\operators User Support Domain Operators 5/13/2019 The DESY WindowsNT Group

7 The DESY WindowsNT Group
Basic Idea (cont.) Set obj = CreateObject(„DSH.ExecuteSync“) obj.InvokeScript(„Passwd“, „user1 newpassword“) Alias Name Script location Role Pass calling user MoveUser Perl.exe moveuser.pl User Support No Passwd Cscript.exe setpasswd.vbs MoveHomedir Perl.exe movehome.pl Domain Operator COM object Client / Web Server execute script User Support Domain Operators Tranaction Server 5/13/2019 The DESY WindowsNT Group

8 Implementation COM object COM object Client / Web Server
Load config file by MS XML provider COM object on MTS: Impersonation „GetOriginalCallerID“ from ISecurityContext DCOM: Network: „packet privacy“ Authentication: NTLM Alias Name Script location Role Pass calling user MoveUser Perl.exe moveuser.pl User Support No Passwd Cscript.exe setpasswd.vbs MoveHomedir Perl.exe movehome.pl Domain Operator COM object COM object Client / Web Server User Support Domain Operators IObjectContext interface provides „IsCallerInRole“ method Execute script redirect standard output to pipe Log activity Tranaction Server 5/13/2019 The DESY WindowsNT Group

9 The DESY WindowsNT Group
Example store script on MTS define role on MTS configure config file Alias name Script location Role ActiveX control makes changes in configuration file write client script / Web interface (ASP) Example: write script / configure server / write client script / call script 5/13/2019 The DESY WindowsNT Group

10 Conditional execution
Problem: allow execution only if some conditions are valid Group administrators are only allowed to set the password of their users, not of all users Group adminis can remove their computers from the domain Could be done within the script Execute „Passwd“, „user1 newpassword“ only if calling user is allowed to manage „user1“ Condition table defines relationship between calling user and managed object Defines which management groups are permitted to manage which kind of users, computers or groups 5/13/2019 The DESY WindowsNT Group

11 Management definition table
Check if „Calling User“ is in management group and the argument is in a group which is managed Calling User Argument of type „user“ Management groups Groups to manage Group1adm Group2adm Group3adm Domain Admins Group1 Group2 Group3 * 5/13/2019 The DESY WindowsNT Group

12 The DESY WindowsNT Group
Set obj = CreateObject(„DSH.ExecuteSync“) obj.InvokeScript(„Passwd“, „user1 newpassword“) Who is calling ? COM object Calling User Argument Management groups Groups to manage Group1adm Group2adm Group3adm Domain Admins Group1 Group2 Group3 * 5/13/2019 The DESY WindowsNT Group

13 The DESY WindowsNT Group
Config File Extension Alias Name Script location Role Pass calling user Arg. to check Arg. type Passwd Cscript.exe setpasswd.vbs User Support No 1 User Types of arguments: COMPUTERS USERS GROUPS 5/13/2019 The DESY WindowsNT Group

14 The DESY WindowsNT Group
Summary Script can be stored and executed on the „Scripting Server“ (within Domain Administrator rights) Define by „role“ who is permitted to launch the scripts Conditional execution: a table defines relationship between calling user and managed object Configuration settings can be managed by ActiveX component Example: configure condition 5/13/2019 The DESY WindowsNT Group

15 Asynchronous Execution
Some scripts take a long time to finish Move homedirectory, archive user data Web server has timeout interval for ASP pages The user cannot see, if script was executed successfully Asynchronous execution submitting a script execution request, method returns an ID Check status of the execution by ID In queue / currently executed / finished Notification after execution has finished 5/13/2019 The DESY WindowsNT Group

16 Implementation: MSMQ (Message Queue Server)
execution request currently executed finished transaction server Set obj = CreateObject(„DSH.ExecuteAync“) obj.InvokeScript(„Passwd“, „user1 newpassword“, „some text for the body“) 5/13/2019 The DESY WindowsNT Group

17 Event Driven Execution
Query computer for special properties Problem: script fails if computer is not online Hold script in queue and launch script only if event occurs Events: „computer is online“, „time is reached“, ... Other requirements: retry execution on error define a time range until execution request will be dropped notification by 5/13/2019 The DESY WindowsNT Group

18 The DESY WindowsNT Group
Implementation: MSMQ check event: „computer is online“ execution request currently executed finished transaction server 5/13/2019 The DESY WindowsNT Group

19 The DESY WindowsNT Group
Example Web based domain management 5/13/2019 The DESY WindowsNT Group

Download ppt "A Scripting Server for Domain Automation Tasks"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
University of Southampton Electronics and Computer Science M-grid: Using Ubiquitous Web Technologies to create a Computational Grid Robert John Walters.

University of Southampton Electronics and Computer Science M-grid: Using Ubiquitous Web Technologies to create a Computational Grid Robert John Walters.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Slide 1 of 10 Job Event Basics A Job Event is the name for the collection of components that comprise a scheduled job. On the iSeries a the available Job.

Slide 1 of 10 Job Event Basics A Job Event is the name for the collection of components that comprise a scheduled job. On the iSeries a the available Job.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
8/26/98The DESY WindowsNT Group1 Windows NT at DESY l Status report l new developments for the automation of administrative tasks l outlook to our preparations.

8/26/98The DESY WindowsNT Group1 Windows NT at DESY l Status report l new developments for the automation of administrative tasks l outlook to our preparations.
CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.

CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Reliability and Performance Application protection IIS Reliable Restart Socket pooling Multisite hosting Process throttling Bandwidth throttling.

Reliability and Performance Application protection IIS Reliable Restart Socket pooling Multisite hosting Process throttling Bandwidth throttling.
Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.

Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
Printing Terminology. Requirements for Network Printing At least one computer to operate as the print server Sufficient RAM to process documents Sufficient.

Printing Terminology. Requirements for Network Printing At least one computer to operate as the print server Sufficient RAM to process documents Sufficient.
Asynchronous Web Services Approach Enrique de Andrés Saiz.

Asynchronous Web Services Approach Enrique de Andrés Saiz.
Configuring Task Scheduler Lesson 9. Skills Matrix Technology SkillObjective Domain SkillDomain # Understanding Task Scheduler Configure and manage the.

Configuring Task Scheduler Lesson 9. Skills Matrix Technology SkillObjective Domain SkillDomain # Understanding Task Scheduler Configure and manage the.
Today’s Agenda Chapter 12 Admin Tasks Chapter 13 Automating Admin Tasks.

Today’s Agenda Chapter 12 Admin Tasks Chapter 13 Automating Admin Tasks.
Meir Botner David Ben-David. Project Goal Build a messenger that allows a customer to communicate with a service provider for a fee.

Meir Botner David Ben-David. Project Goal Build a messenger that allows a customer to communicate with a service provider for a fee.
1 Guide to Novell NetWare 6.0 Network Administration Chapter 11.

1 Guide to Novell NetWare 6.0 Network Administration Chapter 11.
Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.

Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.

Similar presentations

Ads by Google