Desktop Authority
Administrator's Guide
Copyright © 1998-2008 ScriptLogic Corporation and its licensors. All Rights Reserved.
Protected by U.S. Patents 6,871,221 and 7,293,087 with other patents pending.
Portions include technology used under license from Shavlik Technologies and are
copyrighted.
Certain portions used under license and Copyright (c) 2004-2008 Sunbelt Software, Inc.,
all rights reserved.
This software is based in part on the work of the Independent JPEG Group.
This publication is protected by copyright and all rights are reserved by ScriptLogic
Corporation. It may not, in whole or part, be copied, photocopied, reproduced, translated, or
reduced to any electronic medium or machine-readable form without prior consent, in
writing, from ScriptLogic Corporation. This publication supports Desktop Authority 7. It is
possible that it may contain technical or typographical errors. ScriptLogic Corporation
provides this publication “as is,” without warranty of any kind, either expressed or implied.
ScriptLogic Corporation
6000 Broken Sound Parkway NW
Boca Raton, Florida 33487-2742
1.561.886.2400
www.scriptlogic.com
Trademark Acknowledgements:
Desktop Authority, ScriptLogic and the ScriptLogic logo are either registered trademarks or
trademarks of ScriptLogic Corporation in the United States and/or other countries. The names
of other companies and products mentioned herein may be the trademarks of their respective
owners.
DOCUMENTATION CONVENTIONS
Typeface Conventions
Bold
Indicates a button, menu selection, tab, dialog box title,
text to type, selections from drop-down lists, or
prompts on a dialog box.
CONTACTING SCRIPTLOGIC
ScriptLogic may be contacted about any questions, problems or
concerns you might have at:
ScriptLogic Corporation
6000 Broken Sound Parkway NW
Boca Raton, Florida 33487-2742
561.886.2400 Sales and General Inquiries
561.886.2450 Technical Support
561.886.2499 Fax
www.scriptlogic.com
SCRIPTLOGIC ON THE WEB
ScriptLogic can be found on the web at www.scriptlogic.com. Our web
site offers customers a variety of information:
•
Download product updates, patches and/or evaluation products.
•
Locate product information and technical details.
•
Find out about Product Pricing.
•
Search the Knowledge Base for Technical Notes containing an
extensive collection of technical articles, troubleshooting tips
and white papers.
•
Search Frequently Asked Questions, for the answers to the
most common non-technical issues.
•
Participate in Discussion Forums to discuss problems or ideas
with other users and ScriptLogic representatives.
Table Of Contents
CONCEPTS .................................................................................................................................................. 1
WHAT IS DESKTOP AUTHORITY?................................................................................................................. 1
HOW DOES DESKTOP AUTHORITY WORK? ................................................................................................. 6
WHAT IS REPLICATION? .............................................................................................................................. 9
WHAT IS VALIDATION LOGIC? .................................................................................................................. 12
WHAT ARE DYNAMIC VARIABLES? ........................................................................................................... 36
INSTALLATION ....................................................................................................................................... 39
MINIMUM REQUIREMENTS ........................................................................................................................ 39
INSTALLATION PROCEDURE ...................................................................................................................... 42
INSTALLATION CHECKLIST ........................................................................................................................ 44
INSTALLATION BACKUP ............................................................................................................................ 46
INSTALLING DESKTOP AUTHORITY ........................................................................................................... 47
REGISTRATION .......................................................................................................................................... 59
OPTIONAL COMPONENTS........................................................................................................................... 61
THE USER INTERFACE ......................................................................................................................... 63
OVERVIEW ................................................................................................................................................ 63
MENU BAR ................................................................................................................................................ 66
TOOLBAR .................................................................................................................................................. 67
VIEW PANE ............................................................................................................................................... 68
NAVIGATION PANE .................................................................................................................................... 69
STATUS BAR.............................................................................................................................................. 70
SHORTCUT PANE ....................................................................................................................................... 71
PREFERENCES ............................................................................................................................................ 72
CREATE PROGRAM SHORTCUTS ................................................................................................................ 75
THEMES ..................................................................................................................................................... 76
RESOURCE BROWSER ................................................................................................................................ 78
GLOBAL SYSTEM SETTINGS ...................................................................................................................... 79
USING AND CONFIGURING PROFILES ......................................................................................................... 81
USING AND CONFIGURING PROFILE OBJECTS ............................................................................................ 87
SCRIPTLOGIC TODAY ................................................................................................................................ 93
SYSTEM DASHBOARD ................................................................................................................................ 94
ROLE BASED ADMINISTRATION ....................................................................................................... 96
WHAT IS ROLE BASED ADMINISTRATION? ................................................................................................ 96
CONFIGURING SUPER USERS/GROUPS ACCOUNTS .................................................................................. 100
CONFIGURING ROLES .............................................................................................................................. 102
CONFIGURING PROFILE PERMISSIONS ..................................................................................................... 108
GLOBAL CONFIGURATION ............................................................................................................... 111
GLOBAL OPTIONS.................................................................................................................................... 111
CLIENT DEPLOYMENT - ASSIGN SCRIPT .................................................................................................. 112
CLIENT DEPLOYMENT - GPO DEPLOYMENT* ......................................................................................... 114
PATCH DISTRIBUTION* ........................................................................................................................... 117
SOFTWARE DISTRIBUTION*..................................................................................................................... 120
GLOBAL DEFINITIONS ............................................................................................................................. 124
GLOBAL VISUAL ..................................................................................................................................... 125
GLOBAL EXCEPTIONS .............................................................................................................................. 128
GLOBAL DESKTOP AGENT....................................................................................................................... 130
iv
Table Of Contents
GLOBAL TROUBLESHOOTING .................................................................................................................. 132
SERVER MANAGER.............................................................................................................................. 134
SERVER MANAGER .................................................................................................................................. 134
DATABASE CONFIGURATION ................................................................................................................... 135
OPSMASTER SERVICE ............................................................................................................................. 140
CONFIGURING THE OPSMASTER SERVICE ................................................................................................ 144
SERVICE MANAGEMENT .......................................................................................................................... 145
OPTIONS .................................................................................................................................................. 150
SERVER PROPERTIES ............................................................................................................................... 159
SERVICE OPTIONS ................................................................................................................................... 160
WHAT IS THE SCRIPTLOGIC SERVICE? ..................................................................................................... 162
CONFIGURING THE SCRIPTLOGIC SERVICE .............................................................................................. 163
WHAT IS THE UPDATE SERVICE?............................................................................................................. 165
CONFIGURING THE UPDATE SERVICE ...................................................................................................... 166
REPORTING............................................................................................................................................ 168
REPORTING OVERVIEW* ......................................................................................................................... 168
Pre-Defined Reports ........................................................................................................................... 168
User-Defined Reports ......................................................................................................................... 169
Generated (Saved) Reports................................................................................................................. 169
Scheduled Reports .............................................................................................................................. 169
Enable/Disable Report Data Collection ............................................................................................. 170
CREATING A SIMPLE REPORT .................................................................................................................. 171
SCHEDULED REPORTS ............................................................................................................................. 174
Scheduled Report Settings .................................................................................................................. 174
Scheduled Report Emailing ................................................................................................................ 175
Error Notification............................................................................................................................... 176
PRE-DEFINED REPORTS ........................................................................................................................... 177
Administrative Audit Reports.............................................................................................................. 177
Admin Audit - Administrator Activity............................................................................................................. 177
Admin Audit - Profiles .................................................................................................................................... 180
Admin Audit - Roles Maintenance .................................................................................................................. 181
Admin Audit - User Maintenance.................................................................................................................... 182
Anti-Spyware Reports ......................................................................................................................... 183
Anti-Spyware Activity..................................................................................................................................... 183
Anti-Spyware Activity - Summary Page.......................................................................................................... 185
Hardware Inventory Reports .............................................................................................................. 187
Hardware Inventory - by Component .............................................................................................................. 187
Hardware Inventory - Detailed ........................................................................................................................ 189
Hardware Inventory - Computers Missing....................................................................................................... 191
Hardware Inventory -Detailed - Summary Page .............................................................................................. 192
Hardware Inventory - Detailed with Virtual Machines.................................................................................... 194
Hardware Inventory - Excel Optimized ........................................................................................................... 196
Hardware Inventory - Monitors ....................................................................................................................... 197
Hardware Inventory - Summary ...................................................................................................................... 199
Hardware Inventory - Vista Compatibility ...................................................................................................... 200
Hardware Inventory - Vista Incompatibility .................................................................................................... 201
Managed Computer Inventory ......................................................................................................................... 203
Miscellaneous Reports........................................................................................................................ 204
Logging - Default ............................................................................................................................................ 204
Energy Efficiency Audit .................................................................................................................................. 205
Power Management Savings Calculator .......................................................................................................... 207
Report Template (Landscape/Portrait)............................................................................................................. 208
Patch Management Reports................................................................................................................ 209
Patch Management Status - Executive Summary ............................................................................................ 209
Patch Management Status................................................................................................................................ 210
Profile Reports.................................................................................................................................... 211
v
Administrator's Guide
Profile Full Detail ............................................................................................................................................ 211
Profile Objects - Alerts .................................................................................................................................... 213
Profile Objects - Anti-Spyware........................................................................................................................ 214
Profile Objects - Common Folder Redirection ................................................................................................ 216
Profile Objects - Display.................................................................................................................................. 217
Profile Objects - Drive Mappings .................................................................................................................... 218
Profile Objects - Environment ......................................................................................................................... 219
Profile Objects - File Operations ..................................................................................................................... 220
Profile Objects - File/Registry Permissions ..................................................................................................... 221
Profile Objects - Folder Redirection ................................................................................................................ 222
Profile Objects - General ................................................................................................................................. 223
Profile Objects - Group Policy Templates ....................................................................................................... 225
Profile Objects - Inactivity............................................................................................................................... 226
Profile Objects - INI Files................................................................................................................................ 227
Profile Objects - Internet Explorer Settings ..................................................................................................... 228
Profile Objects - Application Launcher ........................................................................................................... 230
Profile Objects - Legal Notice ......................................................................................................................... 231
Profile Objects - Logging ................................................................................................................................ 232
Profile Objects - Message Boxes ..................................................................................................................... 233
Profile Objects - Microsoft Office Settings ..................................................................................................... 234
Profile Objects - Microsoft Outlook Profiles ................................................................................................... 235
Profile Objects - Microsoft Outlook Settings................................................................................................... 237
Profile Objects - Patch Management ............................................................................................................... 239
Profile Objects - Path....................................................................................................................................... 240
Profile Objects - Post-Engine Scripts............................................................................................................... 241
Profile Objects - Power Schemes..................................................................................................................... 242
Profile Objects - Pre-Engine Scripts ................................................................................................................ 243
Profile Objects - Printers.................................................................................................................................. 244
Profile Objects - Registry ................................................................................................................................ 246
Profile Objects - Remote Management ............................................................................................................ 247
Profile Objects - Security Policies ................................................................................................................... 249
Profile Objects - Service Pack Deployment..................................................................................................... 250
Profile Objects - Shortcuts............................................................................................................................... 251
Profile Objects - Software Management .......................................................................................................... 253
Profile Objects - Time Sync............................................................................................................................. 255
Profile Objects - USB/Port Security ................................................................................................................ 256
Profile Objects - Windows Firewall................................................................................................................. 258
Profiles Summary ............................................................................................................................................ 259
Software Inventory Reports ................................................................................................................ 260
Software Inventory - Summary Page ............................................................................................................... 260
Software Inventory - Total Installations .......................................................................................................... 261
Software Inventory - Total Installations with Computer List .......................................................................... 262
Software Inventory including Updates and Hotfixes ....................................................................................... 264
Software Inventory with Last User including Updates and Hotfixes ............................................................... 265
Software Inventory with Last User .................................................................................................................. 266
Software Inventory .......................................................................................................................................... 267
Software Management Reports........................................................................................................... 268
Software Management - Detailed By Product.................................................................................................. 268
Software Management - Summary .................................................................................................................. 269
USB-Port Security Reports................................................................................................................. 270
All USB Devices ............................................................................................................................................. 270
All USB Devices by Computer........................................................................................................................ 272
All USB Devices by User ................................................................................................................................ 274
USB-Port Security - All Device Events ........................................................................................................... 276
USB-Port Security - Classes Denied................................................................................................................ 278
USB-Port Security - Detailed By Class ........................................................................................................... 279
USB-Port Security - Detailed By Computer .................................................................................................... 281
USB-Port Security - Detailed By User ............................................................................................................ 283
USB-Port Security - Detailed By User (Fixed Devices) .................................................................................. 285
USB-Port Security - Detailed By User (Portable Devices) .............................................................................. 286
USB-Port Security - Top 10 Denied ................................................................................................................ 287
USB-Port Security - Users Denied................................................................................................................... 288
vi
Table Of Contents
USB-Port Security - Users Denied (Fixed Devices) ........................................................................................ 289
USB-Port Security - Users Denied (Portable Devices) .................................................................................... 290
User Activity Reporting ...................................................................................................................... 291
User Activity - Machine User Usage ............................................................................................................... 291
User Activity - Summary Page ........................................................................................................................ 292
User Activity - User Machine Usage ............................................................................................................... 293
User Activity Per Computer - Summary Page ................................................................................................. 294
User Activity Per Computer ............................................................................................................................ 295
User Activity.................................................................................................................................................... 296
User Logins ..................................................................................................................................................... 297
CONFIGURING PROFILES.................................................................................................................. 298
ALERTS ................................................................................................................................................... 298
ANTI-SPYWARE*..................................................................................................................................... 302
APPLICATION LAUNCHER ........................................................................................................................ 306
COMMON FOLDER REDIRECTION............................................................................................................. 310
DISPLAY .................................................................................................................................................. 312
DRIVE MAPPINGS .................................................................................................................................... 318
ENVIRONMENT ........................................................................................................................................ 322
FILE OPERATIONS.................................................................................................................................... 324
FOLDER REDIRECTION............................................................................................................................. 328
GENERAL ................................................................................................................................................ 330
GROUP POLICY TEMPLATES .................................................................................................................... 335
INACTIVITY ............................................................................................................................................. 341
INI FILES................................................................................................................................................. 345
INTERNET EXPLORER SETTINGS .............................................................................................................. 347
LEGAL NOTICE ........................................................................................................................................ 350
LOGGING ................................................................................................................................................. 352
LOG FILE VIEWER ................................................................................................................................... 355
MICROSOFT OUTLOOK PROFILES ............................................................................................................ 357
MESSAGE BOXES..................................................................................................................................... 360
MICROSOFT OFFICE SETTINGS ................................................................................................................ 363
MICROSOFT OUTLOOK SETTINGS ............................................................................................................ 365
MICROSOFT OUTLOOK DATA FILES ........................................................................................................ 371
MICROSOFT OUTLOOK CACHED MODE/OUTLOOK ANYWHERE .............................................................. 374
MICROSOFT OUTLOOK SIGNATURE ......................................................................................................... 377
PATCH DEPLOYMENT* ............................................................................................................................ 380
UPDATE SERVICE BEST PRACTICES ......................................................................................................... 385
PATH ....................................................................................................................................................... 396
FILE/REGISTRY PERMISSIONS .................................................................................................................. 397
POWER SCHEMES .................................................................................................................................... 401
PRE/POST ENGINE SCRIPTS ..................................................................................................................... 405
PRINTERS ................................................................................................................................................ 409
REGISTRY ................................................................................................................................................ 412
REMOTE MANAGEMENT*........................................................................................................................ 416
REMOTE MANAGEMENT ADVANCED SETTINGS ....................................................................................... 421
SECURITY POLICIES ................................................................................................................................. 425
SERVICE PACK DEPLOYMENT.................................................................................................................. 427
SHORTCUTS ............................................................................................................................................. 430
MSI PACKAGES*..................................................................................................................................... 434
TIME SYNCHRONIZATION ........................................................................................................................ 440
USB/PORT SECURITY*............................................................................................................................ 441
WINDOWS FIREWALL .............................................................................................................................. 449
WINDOWS FIREWALL ADVANCED ........................................................................................................... 452
vii
Administrator's Guide
REMOTE MANAGEMENT ................................................................................................................... 457
REMOTE MANAGEMENT CLIENT* ........................................................................................................... 457
USER INTERFACE..................................................................................................................................... 462
HOME ...................................................................................................................................................... 466
REMOTE CONTROL .................................................................................................................................. 468
FILE TRANSFER ....................................................................................................................................... 475
HELP DESK CHAT .................................................................................................................................... 477
COMPUTER MANAGEMENT...................................................................................................................... 478
COMPUTER SETTINGS .............................................................................................................................. 490
SERVER FUNCTIONS ................................................................................................................................ 492
SCHEDULING AND ALERTS ...................................................................................................................... 513
PERFORMANCE MONITORING .................................................................................................................. 518
SECURITY ................................................................................................................................................ 521
PREFERENCES .......................................................................................................................................... 531
CUSTOM PAGES ....................................................................................................................................... 543
WAP AND PDA INTERFACE .................................................................................................................... 544
REFERENCE ........................................................................................................................................... 549
DESKTOP AUTHORITY API...................................................................................................................... 549
DESKTOP AUTHORITY API - DYNAMIC VARIABLES ................................................................................ 550
DESKTOP AUTHORITY API - FUNCTIONS ................................................................................................. 551
LIMIT CONCURRENT LOGONS.................................................................................................................. 552
ROOT MAPPING HOME DIRECTORIES ...................................................................................................... 555
IMPLEMENTING A POOR MAN'S PROXY ................................................................................................... 566
DESKTOP AGENT ..................................................................................................................................... 567
OPTION FILES .......................................................................................................................................... 569
REPLICATION TO NETLOGON ............................................................................................................... 571
TROUBLESHOOTING........................................................................................................................... 574
TROUBLESHOOTING ................................................................................................................................ 574
BASIC TROUBLESHOOTING TECHNIQUES ................................................................................................. 576
GLOSSARY .............................................................................................................................................. 579
INDEX ...................................................................................................................................................... 583
viii
Concepts
WHAT IS DESKTOP AUTHORITY?
Desktop Authority, the leading desktop management platform for
Windows-based networks, significantly reduces total cost of desktop
and application ownership by enabling administrators to proactively
secure, manage, support and inventory desktops and applications from
a central location. Desktop Authority centralizes control over desktop
configurations, combining the functionality of logon scripting, group
policies and user profiles into one comprehensive solution.
Desktop Authority is available in two flavors, Desktop Authority and
Desktop Authority Express. Desktop Authority Express is a scaled
down version of Desktop Authority. It does not include the following
standard features included by default in the full version -- Patch
Management, Software Management, Anti-Spyware, USB/Port
Security, Hardware and Software Inventory and Custom Reporting and
the Desktop Authority Remote Management tool.
Desktop Configuration
From a single server-based installation point, Desktop Authority assists
administrators with the never-ending chore of configuring each
desktop attached to the network. When a user logs on or off, their
personalized configurations are applied to their environment. The
Operating System and applications get "fine-tuned" to the specific
user. Best of all, Desktop Authority does this without requiring you to
reduce overall security, without maintaining separate security policies
and without the need for a network administrator to visit each
computer.
Desktop Authority allows administrators to centrally manage over 30
different categories of desktop settings including drive mappings,
search paths, printer deployment, Windows Firewall ports, Internet
configuration & proxy settings, Microsoft Office paths, service pack and
patch deployment, Group Policy Templates, Anti-Spyware detection,
Security Policies, desktop shortcuts, automatic mail profile creation for
Outlook/Exchange, file operations, registry settings and more.
1
Administrator's Guide
Desktop Authority uses its patented Validation Logic technology to
determine how each desktop will be configured. The Validation Logic
technology is based on over 20 validation types including the class of
computer (such as desktop or portable), client operating system,
group membership, Active Directory sites, OUs, and registry and file
properties. Selection can be enhanced further using AND/OR
expressions to combine multiple Validation Logic rules. Custom
validation types can also be defined to allow configuration by desktop
attributes list, Asset Tags or hardware configuration.
Software Management*
MSI packages contain all necessary files an application needs in order
for it to be installed using Microsoft's Windows Installer. Desktop
Authority manages a repository of Microsoft Windows Installer (MSI)
packages. These packages can be deployed to and/or removed from
specified desktops.
USB/Port Security*
The myriad of portable storage mediums today make it essential for
corporations to prohibit or monitor the use of certain devices on the
company network. These devices can be very harmful to a corporation.
Confidential data can easily be copied to any portable device, viruses
can be introduced to the network and spread corporate wide and illegal
software can be copied to the company network.
Since most portable devices are small in size it is simple for any
employee to use these devices regardless of a written or verbal
company policy. The users ability to use these devices and/or transfer
data to and from these devices must be restricted. The USB/Port
Security object will do just this.
Users and/or groups of users can be restricted from using certain
types of removable storage devices. Desktop Authority's USB/Port
Security object will protect the company network against unauthorized
usage of devices such as MP3 players, PDAs, WiFi and more.
The USB/Port Security Option can help to free the enterprise of
unwanted removable storage devices, easily and quickly.
2
Concepts
Patch Management*
The time taken for attackers to develop an exploit when a patch is
released from Microsoft is decreasing. In the case of the Zotob worm,
it was only 5 days from the release of the MS05-039 patch until
attackers were able to take advantage of unpatched desktop
computers. Administrators cannot simply rely on network perimeter
security, since desktop users download files directly from the Internet
and use their laptops on unsecured networks when traveling or at
home.
Inherently, Desktop Authority includes the ability to scan desktops for
missing patches and download them from Microsoft. Low severity
patches can then be installed. Desktop Authority’s Patch Deployment
for Desktops Option builds on the base Desktop Authority platform
to dramatically simplify the task of installing any Microsoft Operating
System or application patches onto desktops across the enterprise,
and shut the door on attacks that exploit unpatched systems.
The Patch Deployment for Desktops Option takes the tasks of
downloading patches from Microsoft, distributing them to deployment
servers, selecting appropriate patches, selecting clients and deploying
patches, and wraps them all up into the easy-to-use Desktop Authority
Manager console, minimizing the amount of time required by
administrators to manage patch deployment, while maximizing control
over the patch management process.
3
Administrator's Guide
Anti-Spyware*
One of today’s fastest-growing threats to enterprise security is
spyware. From simple annoying ad pop-ups, to identity-stealing key
loggers and all the different types of software that snoops-on and
threatens your network in between, spyware is potentially more
dangerous and destructive to your business than any computer virus.
Desktop Authority’s enterprise-class Spyware Detection and Removal
(SDR) option gives administrators the ability to centrally secure and
protect desktops across the enterprise against spyware, together with
centralized control and reporting.
Out of the box, Desktop Authority offers the ability to download
spyware definition updates and detect spyware on desktops. In other
words, without purchasing the Spyware Removal option,
administrators can find out exactly how much spyware is currently
residing on desktops across the network. Once the Spyware Removal
option is enabled, quarantining and removal options are available to
rid client machines of unwanted spyware. In the event that SDR
reports that an application is classified as spyware even though it is
known to be benign or an acceptable risk, SDR can be configured to
exclude that application from detection.
Role Based Administration
In larger organizations there are typically multiple levels of
administrators, with junior ones assigned to specific geographical
locations or restricted administration tasks. Desktop Authority’s new
architecture allows super-users to restrict other administrators to only
view, change, and add or delete a limited set of configuration objects.
By defining roles and applying those roles to users or groups at the
profile level, super-users can ensure that administration of Desktop
Authority follows enterprise security boundaries.
4
Concepts
Hardware and Software Inventory and Custom Reporting*
Desktop Authority profiles and their configurations are now stored in
an SQL database, along with information about the managed
desktop. Built-in and custom reporting puts vital information at the
fingertips of administrators, including reports on hardware and
software inventory, user activity, patch deployment and Spyware
removal.
Comprehensive Reporting includes built-in and custom reporting on
Hardware / Software Inventory, User Activity, Patch Management,
Anti-Spyware, and Desktop Authority configuration.
Desktop Authority offers support for Windows Vista 32-bit, Windows
Vista 64-bit, Windows 2000/2003/2008 Server family, Windows 2003
Server 64-bit, Windows NT Server 4.0, including Terminal Server
Edition & Citrix Presentation Server (formerly known as MetaFrame),
Windows 2000 Professional, Windows XP 32-bit and Windows XP 64bit.
*This feature is not a standard part of Desktop Authority Express. To
obtain this feature, Desktop Authority Express must be upgraded to
the full version of Desktop Authority.
5
Administrator's Guide
HOW DOES DESKTOP AUTHORITY WORK?
Desktop Authority requires several components to facilitate
configuration of the desktop. These components include the Desktop
Authority Manager, configuration and reporting databases, and the
ScriptLogic, Update and OpsMaster services. These components all
work together to provide an efficient, scalable, and secure desktop
management system.
An overview the Desktop Authority process is shown below.
Desktop Authority Manager
The Desktop Authority Manager is the central console from which
configuration profiles, services and reports are managed by the
Network Administrator. The Manager also provides the ability to
remotely manage client computers over the local area network or
Internet. Once configuration data is saved and ready to be configured
on client computers, the data must be moved to the NETLOGON share.
This is done using replication. The replication process updates the
NETLOGON share for all target servers specified in the Server
Manager tool. Data is extracted from the DACONFIGURATION database
and written to a .SLP configuration file in the NETLOGON share.
6
Concepts
Configuration and Reporting Databases
Desktop Authority can install Microsoft SQL Server 2005 Express
Edition on the Operations Master or use an existing SQL Server. Within
this database instance there are two databases created. They are
DACONFIGURATION and DAREPORTING. The DACONFIGURATION
database is used to store product configuration data. The
DAREPORTING database holds hardware and software inventory,
user activity and other essential data that is collected for reporting
purposes (not available for Desktop Authority Express).
ScriptLogic Service
The ScriptLogic service enables Desktop Authority to perform tasks
that require administrative rights without sacrificing user-level security
at the workstation. This service helps Desktop Authority perform these
specialized tasks by installing a client version of the ScriptLogic service
to each client in order to temporarily elevate administrative rights. The
ScriptLogic service is installed to one or more servers within the
domain.
Update Service
The Update Service is used for software and data update services.
This service is required for the Patch Management, Anti-Spyware,
Software Management and Portable Device Control features of Desktop
Authority.
This service interfaces with www.scriptlogic.com and
www.microsoft.com in order to download Microsoft patches, antispyware definition updates and Patch Management updates. The
Update Service offers an encrypted and secure connection to the
ScriptLogic web site. This service is installed to one or more servers
within the domain.
OpsMaster Service
Desktop Authority may be installed to a Domain Controller or Member
Server. The installation server is known as the Operations Master. The
OpsMaster service is hosted on the Operations Master server. This
service manages communications among the Desktop Authority
Manager, databases, services, and logs. This service is installed once
per domain on the Operations Master server.
7
Administrator's Guide
Desktop Logon Process
As each user logs on to the network and is authenticated, the user's
logon script is executed. Desktop Authority is launched via a logon
script named SLOGIC. This script must be defined as the user’s logon
script in order for a client to execute Desktop Authority. The logon
script performs initializations and launches to Desktop Authority
engine.
Desktop Engine
Once the logon script performs its initial checks, the Desktop engine is
launched. The engine will initiate the configuration of objects and
elements. First, the Global Options are applied, user defined variables
are processed and Pre-Engine custom scripts are executed. If
configured, the Anti-Spyware and Patch Management components are
launched on the client. The client is scanned for Anti-Spyware and
missing patches.
From here, clients are configured with the settings defined in the
Manager. Once these settings are complete the engine will execute
post-engine custom scripts. Finally, when the logon script completes,
reporting data is collected, including hardware and software inventory,
and the client desktop is loaded.
Upon logoff, the Desktop engine is again launched. This time any
configuration elements found to validate for Logoff timing and for the
user and/or computer, will execute. During logoff there is an optional
visual indicator that can display to let the user know that something is
happening.
8
Concepts
WHAT IS REPLICATION?
The purpose of Directory Replication, as it applies to Desktop
Authority, is to propagate logon scripts from a source location to the
NETLOGON share of all target domain controllers. The benefit of
configuring some form of directory replication is that a single "master"
copy of the source files is maintained.
When users authenticate to the domain, they attempt to execute the
logon script assigned to them. The client will look for the logon script
file in the NETLOGON share of the domain controller that authenticated
the logon request.
Since any domain controller can authenticate a client's logon request,
directory replication simplifies the task of maintaining duplicate sets of
files on multiple domain controllers. In addition to logon script files,
Microsoft security policy (.pol) files are also stored in the NETLOGON
share.
With Windows NT, the default source location for the file replication is
the %SystemRoot%\System32\Repl\Export\Scripts folder. The default
destination location is the
%SystemRoot%\System32\Repl\Import\Scripts on each domain
controller -- this folder is shared as NETLOGON by default during the
Windows NT setup process. To configure Directory Replication using
Windows NT, you should use the Server Manager application, found in
the Administrative Tools (Common) program group.
With Windows 2000/2003, directory replication, as defined in Windows
NT, no longer exists. Windows 2000/2003 Server does have the
necessary NETLOGON share to provide logon scripts to non-Active
Directory enabled clients. By default, Windows 2000/2003 Server,
when configured as a domain controller, shares the
%SystemRoot%\SYSVOL\sysvol\domain_name\Scripts folder as
NETLOGON. Windows 2000/2003 automatically synchronizes the
NETLOGON share between Domain Controllers.
To provide a method of publishing Desktop Authority to both Windows
NT and Windows 2000/2003 domain controllers, Desktop Authority
performs its own replication. Desktop Authority's replication process
can replace Windows NT Directory Replication or work with it. Of
course, if Desktop Authority is your only logon script, there is typically
not a need to add the overhead of NT's directory replication service to
your domain controllers. Each time you make changes to your
configuration using the Desktop Authority Manager, you will save the
changes, replicate only the changed files, and then exit.
Desktop Authority Replication is configured in the Server Manager.
9
Administrator's Guide
If logon scripts and security policy files are not available in the
NETLOGON share of each domain controller, you may encounter a
situation where clients do not always process the logon script and/or
security policies. It isn't always the primary domain controller that
authenticates logons -- if the primary domain controller is busy, a
backup domain controller may perform the authentication. In fact, a
Windows 2000 client will always first attempt to locate and then
authenticate against a Windows 2000 domain controller, regardless of
whether or not it is on the other side of a low speed WAN link.
If a user authenticates to a domain and does not locate the logon
script assigned to them (in the NETLOGON share of the domain
controller which performed the authentication), the user is still allowed
to authenticate, however, no logon script will execute.
Directory Replication using Windows NT Replication Service
Directory Replication, as defined by Microsoft, is the duplication of a
master set of directories from a server (called an export server) to
specified servers or workstations (called import computers) in the
same or other domains. A server running Windows NT can be an
export server, an import computer or both. A workstation can only be
an import computer.
Windows NT includes the ability to configure directory replication using
Server Manager, however, this is typically not necessary when using
Desktop Authority as your company's enterprise logon script. This
method is much less efficient than Desktop Authority Replication, and
should be used only when absolutely necessary.
Microsoft's solution to this problem is to make Windows NT replicate
the logon script to each backup domain controller by using the
Windows NT's Directory Replicate service.
10
Concepts
Windows NT Replication Service has many limitations:
•
You should only replicate information that's read-only or that
rarely changes.
•
You should avoid replicating large amounts of data between
servers. This can cause excessive traffic on the network.
•
The Directory Replicator Service isn't capable of replicating
open files. You should make sure that any files you're planning
to replicate don't change very often, because heavily used files
may not be replicated during the day if they're in use.
•
The Directory Replicator Service only replicates information—it
doesn't synchronize data. All files and subdirectories that reside
in the Export\Scripts directory tree will be replicated every time
replication occurs.
•
Directory replication can occur only between like file systems.
This means that if your export server is using NTFS, you cannot
import data to a partition formatted with the FAT file system.
•
Directory Replication occurs at timed intervals (approximately
every 15 minutes). You cannot initiate the replication process
when necessary.
As Microsoft states: "As with anything in the world of computers,
Microsoft has confirmed a number of bugs in the Directory Replicator
Service, so there's a chance that even if you set up everything
correctly, it still may not work. The best way to ensure that your
replication will work correctly is to make sure the latest Service Pack is
loaded on all servers involved in replication."
Due to these limitations, we recommend against using the Windows NT
Directory Replication Service. Desktop Authority Replication provides a
much more efficient means of publishing only changed files, and only
when you need them published.
If you are using the Windows NT Directory Replication Service,
make sure to inform Desktop Authority about it using the
Replication options screen in Server Manager.
11
Administrator's Guide
WHAT IS VALIDATION LOGIC?
In order for the profiles and configuration elements to be processed on
clients during the logon process, Desktop Authority must qualify
whether a setting should be applied to the client. To do this, a set of
rules is created for every profile and configuration element within the
Manager. This set of rules, which includes the definition of connection
types, class types, operating systems and many other types, is called
Validation Logic.
During the logon process, the Validation Logic of each profile is
inspected. If the Validation Logic matches the client environment, the
profile is marked for processing. Once each profile's Validation Logic is
evaluated, the Validation Logic for all configuration elements in the
marked profiles is evaluated. When complete, the resulting qualified
configuration elements are executed on the client in the following
order.
•
•
12
Alerts
Anti-Spyware (not available in Desktop Authority
Express)
•
Application Launcher
•
Common Folder Redirection
•
Display
•
Drive Mappings
•
Environment
•
File Operations
•
File/Registry Permissions
•
Folder Redirection
•
General
•
Group Policy Templates
•
Inactivity
•
INI Files
•
Internet Explorer Settings
•
Legal Notice
•
Logging
Concepts
•
Message Boxes
•
Microsoft Office Settings
•
Microsoft Outlook Profiles
•
Microsoft Outlook Settings
•
MSI Packages (not available in Desktop Authority
Express)
•
Patch Deployment (not available in Desktop
Authority Express)
•
Path
•
Post-Engine Scripts
•
Power Schemes
•
Pre-Engine Scripts
•
Printers
•
Registry
•
Remote Management (not available in Desktop
Authority Express)
•
Security Policies
•
Service Pack Deployment
•
Shortcuts
•
Time Synchronization
•
•
USB/Port Security (not available in Desktop
Authority Express)
Windows Firewall
It is important to keep in mind that not all configuration elements will
be executed on a client just because its profile passes the validation
test. This is due to the secondary validation logic that is provided on
individual configuration elements. If a configuration element has no
validation logic rules defined and its profile passes the validation test,
the configuration element will automatically be processed on the client.
The figure below is a snapshot of the dialog used to define validation
logic for a profile or configuration element. Use the boxes to the right
of the Validation Logic Rules list to define the specific classes,
operating systems and connection types that the rules will apply to.
Double click on the validation logic rules list or press one of the
buttons below it to add, change or delete rules to/from the list.
13
Administrator's Guide
When the Validation Logic list includes more than one rule, Boolean
logic is used between each of the rules to obtain a result. Select either
the AND or OR option below the validation logic rules list. The selected
logic will apply to all rules defined in the list.
Disable this element regardless of validation
Select this check box to temporarily disable the selected
configuration element from executing during any client logon.
Clearing the box will re-enable the configuration setting.
Validation Type
Validation rules are created by selecting any of the various validation
types along with providing a validation value. Together the validation
type and value make a validation rule. Multiple validation rules can be
added to the validation rule list. Press the Add button to add a new
validation rule. Press the Modify button to change an existing
validation rule. Press the Delete button to remove a validation rule
from the list.
Validation rules support the asterisk (*) and question mark (?)
wildcards in the validation value. This provides the ability to configure
a setting for multiple instances of the selected Type. Use an asterisk to
substitute a string of characters of any length. Use a question mark (?)
to substitute a single character. One or more instances of each
wildcard may be used in the comparison value.
14
Concepts
Validation Logic rules use Boolean logic (AND or OR) to tie each rule
together. Either AND or OR may be used on a set of validation rules,
however, AND and OR may not be used together in the same
validation rules list. Each validation rule may also use a Boolean NOT
to negate the rule. Using a Boolean NOT in a rule will automatically
use a Boolean AND to evaluate the combination of rules.
Listed below are the validation logic types that can be selected in the
validation logic box.
Network Membership
Authenticating Domain
Select Authenticating Domain to execute a configuration element
for all computers that log on to the specified Domain. Find the
Authenticating Domain Validation Logic type under the Network
Membership category. In the Select Domain box, enter the name of
the Domain. Optionally press the Resource Browser button to
locate the Domain. The supplied Authenticating Domain value is
compared against the domain the client machine is attempting to
log on to and must match for the configuration element to be
processed. On Windows 95/98 clients, Domain refers to the
Workgroup in which the computer is a member.
Computer Domain
Select Computer Domain to execute a configuration element for all
computers that belong to the specified Domain. Find the Computer
Domain Validation Logic type under the Network Membership
category. In the Select Domain box, enter the name of the
Domain. Optionally press the Resource Browser button to locate
the Domain. The supplied Computer Domain value is compared
against the domain the client machine is a part of during the logon
process and must match for the configuration element to be
processed. On Windows 95/98 clients, Domain refers to the
Workgroup in which the computer is a member.
15
Administrator's Guide
Computer Group
Select Computer Group to execute a configuration element when
the client computer is part of the specified Active Directory Group.
Find the Computer Group Validation Logic type under the Network
Membership category. In the Select Group box, enter the name of
, to
the Computer Group or press the Resource Browser button,
locate it. If the computer logging on is part of the supplied group,
the configuration element and/or profile will be processed.
This validation logic type is not valid on NT 4.0 Domains as they do
not support adding workstations to groups.
Examples:
Floor2Group
Validates true for all computers in the
Floor2Group (all computers on the second
floor).
PC2*
Validates true for all computers in any
group starting with a PC2 prefix.
AdminGrp
Validates true for all computers in the
AdminGrp.
OU (Computer)
Select Organizational Unit (Computer) to execute a configuration
element for all computers belonging to a specific OU. Find the OU
(Computer) Validation Logic type under the Network Membership
category. In the Select Organizational Unit box, enter the name of
the OU or press the OU Browser button to locate it. The supplied
OU value is compared against the OU the client machine is a part
of during the logon process and must match for the configuration
element to be processed.
Select the box Include child OUs to include all child OUs in the
validation logic rule.
Examples:
\Florida\Boca\Accounting
16
Validates true for any
computer belonging to the
\Florida\Boca\Accounting OU.
Child OU's will be included if
the "Include child OUs" box is
selected.
Concepts
OU (User)
Select Organizational Unit (User) to execute a configuration
element for all users belonging to a specific OU. Find the OU (User)
Validation Logic type under the Network Membership category. In
the Select Organizational Unit box, enter the name of the OU or
. The supplied OU value is
press the OU Browser button,
compared against the OU the client machine is a part of during the
logon process and must match for the configuration element to be
processed.
Select the box Include child OUs to include all child OUs in the
validation logic.
Examples:
\Florida\Boca\Accounting
Validates true for any
computer belonging to the
\Florida\Boca\Accounting
OU. Child OU's will be
included if the "Include child
OUs" box is selected.
Primary Group
Select Primary Group to execute a configuration element for all
users of the specified Primary Group. Find the Primary Group
Validation Logic type under the Network Membership category. In
the Select Group box, enter the name of the Group or press the
, to locate it. The supplied Primary
Resource Browser button,
Group value is compared against the primary group of the user
during the logon process and must match for the configuration
element to be processed.
Example:
Sales
Validates true for all users that have Sales defined as
their primary group.
Site
Select Site to execute a configuration element for all computers
that belong to the specified Site. Find the Site Validation Logic type
under the Network Membership category. In the Select Site box,
enter the name of the Site. The supplied Site value is compared
against the site the client machine is a part of during the logon
process and must match for the configuration element to be
processed.
17
Administrator's Guide
User Group
Select User Group to execute a configuration element for all users
belonging to a specific network group. Find the User Group
Validation Logic type under the Network Membership category. In
the Select Group box, enter the name of the Group or press the
, to locate the group. The supplied
Resource Browser button,
group membership value is compared against the groups that the
user is a part of during the logon process and must match for the
configuration element to be processed.
Examples:
Marketing
Validates true for all users that are part of the
Marketing group.
Sales
Validates true for all users that are part of the
Sales group.
Marketing;Sales
Validates true for users of both the Marketing
and Sales groups.
*
Validates true for all groups.
User Group does not support the wildcards * (asterisk) and ?
(question mark) with the exception of a single * meaning "all
groups".
User Name
Select User Name to execute a configuration element for a specific
User Name(s). Find the User Name Validation Logic type under the
User Information category. In the Select User box, enter the name
. The
of the User(s) or press the Resource Browser button,
supplied User Name value is compared against the User Name used
during the logon process and must match for the configuration
element to be processed.
Use the User Name validation type to execute a configuration
element for a particular user regardless of the computer from
which they log on to. For example, if the configuration element
should execute any time Mary Jones (user name mjones) logs into
the network, specify mjones as the user name.
Examples:
18
mjones
Validates true for user mjones only.
mjones;
tsmith
Validates true for user mjones and
tsmith.
*
Validates true for all users.
Concepts
Computer Information
Computer Name
Select Computer Name in order to execute a configuration element
for the specific computer regardless of the user that logs onto that
computer. Find the Computer Name Validation Logic type under the
Computer Information category. In the Select Computer box, enter
, to
the Computer Name or press the Resource Browser button,
locate the computer name. The supplied Computer Name is
compared against the Computer Name of the client during the
logon process and must match for the configuration element to be
processed.
Examples:
PC221
Validates true for the desktop computer named
PC221.
*LAPTOP*
Validates true for any desktop computer with
LAPTOP in its name.
*221
Validates true for any desktop computer ending
with 221 in its name.
PC*
Validates true for any desktop computer starting
with PC as its name.
PC2??
Validates true for any desktop computer starting
with PC2 in its name and is followed by two
additional characters.
A??-PCxxxACCTG
Validates true for any desktop computer
belonging to the ACCTG department, in building
A, on any floor (??). This particular example
denotes the granularity possible when used in
conjunction with the corporate computer naming
standards.
Host Address
Select Host Address in order to execute a configuration element for
the specific name. Find the Host Address Validation Logic type
under the Computer Information category. In the Value box, enter
the Host Address. The supplied Host Address is compared against
the Host Address of the client during the logon process and must
match for the configuration element to be processed.
The Host Address can identify a specific Host Address or a set of
Host Addresses using wildcards.
For example, if a portion of the Host Address was used to
distinguish between different office buildings, a wildcard can be
used when validating the Host Address to deploy printers based
upon in which building the computer is located.
19
Administrator's Guide
Examples:
loc031-pc221.bldga.acme.com
Validates true for the
specific computer whose
Host Address is loc031pc221.bldga.acme.com.
loc031-pc221.bldga.*
Validates true for the
computer in building A,
whose Host Address
begins with loc031pc221.bldga.
*.bldga.*
Validates true for any
computers that are in
Building A.
*.bldga.acme.com*
Validates true for any
computers that are in
Building A and part of
the Domain
acme.com.
MAC Address
Select MAC Address in order to execute a configuration element for
a specific computer regardless of the user that logs onto that
computer. Find the MAC Address Validation Logic type under the
Computer Information category. In the Value box, enter the MAC
Address. The supplied MAC Address is compared against the MAC
Address of the client during the logon process and must match for
the configuration element to be processed.
This type of validation gives the ability to specify a specific
computer on the network based on the MAC Address built in to the
network adapter. This gives a simple way to address a specific
machine regardless of the user that logs onto the machine or the
computer name (which is vulnerable to change). Validating on a
MAC Address may also be useful if your network uses IPX/SPX as a
protocol.
To determine the MAC Address for a computer's network adapter,
run IPCONFIG /ALL on NT based operating systems or WINIPCFG
on Windows 9x operating systems. The MAC Address will be
defined as the Physical Address for the network adapter.
TCP/IP Address
Select Registry Key Exists in order to execute a configuration
element for the specific computer if the specified Registry Key is
found in the registry. Find the Registry Key Exists Validation Logic
type under the Computer Information category.
In the Key box, enter the Registry Key name. If the Registry key
exists, the configuration element will be processed.
File Exists
20
Concepts
Select File Exists in order to execute a configuration element for
the specific computer regardless of the user that logs onto that
computer. Find the File Exists Validation Logic type under the
Computer Information category.
In the Value box, enter the file name (including path) of the file to
be checked. If the file exists in the path specified the configuration
element will be processed.
File Version
Select File Version in order to execute a configuration element for
the specific computer regardless of the user that logs onto that
computer. Find the File Version Validation Logic type under the
Computer Information category. The file's version information is
normally embedded into the file and can be seen on the Version
tab of the Properties for the file.
The File Version validation type requires three validation values to
complete its configuration. The required values are File, Operator
and Version. Enter the name of the file (including path) whose
version will be compared against into the File box. Enter the
comparison operator into the Operator box. Enter the comparison
operator to be used in the compare operation. Enter the
comparison value into the Version box.
The file's version is extracted and then compared against the
information specified by the operator and comparison version. If
the comparison (performed during the logon process) returns a
TRUE result the configuration element will be processed.
Example:
File:
C:\Program Files\Microsoft Office\Office10\Winword.exe
Operator:
<=
Version:
10.0
If the version of the Winword.exe file is less than or equal to 10.0 the
configuration element will be processed.
21
Administrator's Guide
IPv4 Range
Select IPv4 Range in order to execute a configuration element for
any computer with an IP address within the range specified. Find
the IP Range Validation Logic type under the Computer Information
category. In the Range boxes, enter the beginning and ending IP
addresses. The supplied range of IP addresses is compared against
the IP address of the computer during the logon process and must
match for the configuration element to be processed.
Examples:
192.168.100.5 192.168.100.50
Validates true for the computer whose IP
address is between192.168.100.5 and
192.168.100.50, inclusive.
To determine the IP Address for a computer, run IPCONFIG on NT
based operating systems or WINIPCFG on Windows 9x operating
systems.
IPv6 Range
Select IPv6 Range in order to execute a configuration element for
any computer with an IP address within the range specified. Find
the IP Range Validation Logic type under the Computer Information
category. In the Range boxes, enter the beginning and ending IP
addresses. The supplied range of IP addresses is compared against
the IP address of the computer during the logon process and must
match for the configuration element to be processed.
Examples:
10::1 - 10::10
Validates true for the computer whose IP
address is between10:0:0:0:0:0:0:1 and
10:0:0:0:0:0:0:10, inclusive.
To determine the IP Address for a computer, run IPCONFIG on NT
based operating systems or WINIPCFG on Windows 9x operating
systems.
22
Concepts
Registry Key Exists
Select TCP/IP Address in order to execute a configuration element
for the specific machine based on the TCP/IP address. Find the
TCP/IP Address Validation Logic type under the Computer
Information category. In the Value box, enter the TCP/IP address.
The supplied TCP/IP address is compared against the TCP/IP
address of the computer during the logon process and must match
for the configuration element to be processed. The TCP/IP Address
validation type will accept IPv4 and IPv6 addresses.
The asterisk (*) and question mark (?) wildcards may be used to
match TCP/IP addresses. This wildcard technique and simplified
string manipulation, should be effective on most networks. Keep in
mind that you are not required to specify complete octets.
Specifying 192.168.1* would attempt to match the first two octets
completely and the first character of the third octet to the client's
TCP/IP address.
Examples:
192.168.100.5
Validates true for the computer whose TCP/IP
address is 192.168.100.5.
192.168.100.*
Validates true for any computers whose TCP/IP
address matches the first three octets.
192.168.*
Validates true for any computers whose TCP/IP
address matches the first two octets.
192.168.1??.5
Validates true for any computers whose
TCP/IP address matches 192.168.1xx.5,
where xx is any number.
10::1
Validates true for the computer whose
TCP/IP address is 10:0:0:0:0:0:0:1
23
Administrator's Guide
True subnetting is supported in the TCP/IP Address value field. Use
true subnetting values to selectively specify certain groups of IP
addresses. Specify the IP address and subnet mask in the TCP/IP
value entry. The subnet mask can be specified in either dotted
decimal format or by specifying the number of mask bits.
Examples:
10.0.0.4/255.255.255.0
Validates true for the computers
whose IP address is in the range
or 10.0.0.1 - 10.0.0.254.
10.0.0.4/24
Validates true for the computers
whose IP address is in the range
or 10.0.0.1 - 10.0.0.254.
10.0.0.4/255.255.255.240
Validates true for the computers
whose IP address is in the range
or 10.0.0.1 - 10.0.0.14.
10.0.1.4/28
Validates true for the computers
whose IP address is in the range
or 10.0.1.1 - 10.0.1.14.
10.0.0.39/28
Validates true for the computers
whose IP address is in the range
or 10.0.0.33.
10::1/112
To determine the IP Address for a computer, run IPCONFIG on NT
based operating systems or WINIPCFG on Windows 9x operating
systems.
Registry Value Exists
Select Registry Value Exists in order to execute a configuration
element for the specific computer if the specified Registry Key and
Value is found in the registry. Find the Registry Value Exists
Validation Logic type under the Computer Information category.
In the Key box, enter the Registry Key name. Enter the registry
key value in the Value entry. If the Registry key and value
combination exists the configuration element will be processed.
24
Concepts
Registry Value
Select Registry Value in order to execute a configuration element
for the specific computer regardless of the user that logs onto that
computer. Find the Registry Value Validation Logic type under the
Computer Information category.
The Registry Value validation type requires four validation values
to complete its configuration. The required values are Key, Value,
Operator and Data. Enter the registry hive and key to be checked
into the Key box. Enter the name of the entry within the specified
key to be checked into the Value box. Enter the operator to be
used in the compare operation. Enter the data to be compared
against into the Data box.
The supplied validation values (Value, Operator and Data) are used
to form a condition that is applied to the specified Key. If the
comparison (performed during the logon process) returns a TRUE
result the configuration element will be processed.
Example:
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectX
Value:
Version
Operator: <
Data:
9.0
If the installed version of DirectX is less than 9.0, the configuration element
will be processed.
Virtual Environment
Select Virtual Environment in order to execute a configuration
element for the specific computer regardless of the user that logs
onto that computer. Find the Virtual Environment Validation Logic
type under the Computer Information category.
Select VMWare Virtual Machine to enable validation checking for a
VMWare virtual machine. If the computer is running a VMWare
session at the time of logon, the configuration element will be
processed.
Platform Type
Select Platform Type in order to execute a configuration element
for the specific computer regardless of the user that logs onto that
computer. Find the Platform Type Validation Logic type under the
Computer Information category.
Select Platform Type to enable validation checking based on the
Operating System platform, 32 or 64 bit operating system. If the
computer is running an operating system platform that matches
one of the platforms selected, the configuration element will be
processed.
25
Administrator's Guide
Terminal Services
TS Application Name
Select TS Application Name in order to execute a configuration
element based on the name of the Terminal Server (TS) published
application that is currently in use. Find the TS Application Name
Validation Logic type under the Terminal Services category. In the
Value box, enter the TS Application Name. The supplied TS
Application Name is compared against the running applications
during the logon process and must be found for the configuration
element to be processed.
Note: Some Citrix environments precede the published
application name with a # symbol. For example, if the
application name is published as Outlook, the name on the
client side may be represented as #Outlook. Therefore, the
Validation Logic must be set to #Outlook (in this instance)
for the element to validate properly.
To determine the actual published application name that is
being used on the client, review the sltrace.htm log file.
TS Client Name
Select TS Client Name in order to execute a configuration element
based on the name of the TS Client. Find the TS Client Name
Validation Logic type under the Terminal Services category. In the
Value box, enter the TS Client Name. If the supplied name matches
the name of the client logging onto the Terminal Server the
configuration element is processed.
TS Client TCP/IP Address
Select TS Client TCP/IP Address in order to execute a configuration
element based on the IP Address of the client connecting to the
Terminal Server (TS). Find the TS Client TCP/IP Address Validation
Logic type under the Terminal Services category. Specify the TS
Client TCP/IP Address by entering it into the Value entry. If both IP
Addresses match the configuration element will be processed.
26
Concepts
True subnetting is supported. Use true subnetting values to
selectively specify certain groups of IP addresses. Specify the IP
address and subnet mask in the TCP/IP in the Value entry. The
subnet mask can be specified in either dotted decimal format or by
specifying the number of mask bits.
Examples:
10.0.0.4/255.255.255.0
Validates true for the computers
whose IP address is in the range of
10.0.0.1 - 10.0.0.254.
10.0.0.4/24
Validates true for the computers
whose IP address is in the range of
10.0.0.1 - 10.0.0.254.
10.0.0.4/255.255.255.240
Validates true for the computers
whose IP address is in the range of
10.0.0.1 - 10.0.0.14.
10.0.1.4/28
Validates true for the computers
whose IP address is in the range of
10.0.1.1 - 10.0.1.14.
10.0.0.39/28
Validates true for the computers
whose IP address is in the range of
10.0.0.33.
TS Initial Program
Select TS Initial Program in order to execute a configuration
element based on the name of the Terminal Server (TS) Initial
Program currently in use. Find the TS Initial Program Validation
Logic type under the Terminal Services category. In the Value box,
enter the TS Initial Program name. If the supplied TS Initial
Program is running during the logon process, the configuration
element is processed.
TS Session Name
Select TS Session Name in order to execute a configuration
element based on the connection name that is in use between the
client and the Terminal Server (TS). The TS Session Name is made
up of a combination of the Terminal Server Connection
Name#Session Id. Find the TS Session Name Validation Logic type
under the Terminal Services category. In the Value box, enter the
TS Session Name. If a connection occurs on the supplied session,
the configuration element will be processed.
27
Administrator's Guide
Custom Validation
Custom Function
Select Custom Function in order to execute a configuration element
based on the return value of the function. Find the Custom
Function Validation Logic type under the Custom Validation
category. Custom functions are defined in the Profile's Definitions
tab. All custom functions must return a TRUE or FALSE value.
Specify the Custom Variable by entering it into the Value entry. If
the custom function returns TRUE (or any value other than 0), the
configuration element will be processed. A FALSE return value will
cause the configuration element to be unprocessed.
Example:
The function below is used to determine if the specified version ($version) of
DirectX is greater, equal or less than ($operand) the currently installed
version of DirectX. The function returns a value ($DXVersion) based on the
parameters passed to the function. This function is defined in the Profile's
Definitions tab.
; ScriptLogic Custom Script File
; File Name: SLP00001.sld
; Description: SLP00001.sld
;
;---------------------------------------------------------function DXVersion($operand, $version)
if
slVersionCompare(ReadValue('SOFTWARE\Microsoft\Directx','Version'),$opera
nd,$version)
$DXVersion = 1
else
$DXVersion = 0
endif
endfunction
;---------------------------------------------------------RETURN ; Must be last line of file. Do not remove this line
To use this function within the Validation Logic, select Custom Function from
the Validation Logic dialog box. Specify the function name and parameters (if
necessary) in the Value entry. In this example, an operand of '<' (less than)
and a version of 7.0 is passed to the function. This is compared to the version
of DirectX on the workstation. The return value is set accordingly. If the
version of DirectX on the workstation is less than 7.0 than the script entry will
be processed.
Desktop Authority provides no error control over custom functions.
A syntax error in your custom function will cause Desktop Authority
to unexpectedly terminate.
28
Concepts
Custom Variable
Select Custom Variable in order to execute a configuration element
based on the value of the defined variable. Find the Custom
Variable Validation Logic type under the Custom Validation
category. Custom variables are defined in the profile's Definitions
tab. All custom variables must evaluate to a TRUE or FALSE value.
Specify the Custom Variable by entering it into the Value field. If
the custom variable equals to TRUE (or any value other than 0),
the configuration element will be processed. A FALSE value will
cause the configuration element not to be processed.
Example:
The value of the variable below ($DASystemTray) is evaluated with the code
below. This variable is defined in the Profile's Definitions tab.
; ScriptLogic Custom Script File
; File Name: SLP00001.sld
; Description: SLP00001.sld
;
;---------------------------------------------------------$DASystemTray = ReadValue($DAKeyLM+'\v5\GUI\','EnableSystemTray')
;---------------------------------------------------------RETURN ; Must be last line of file. Do not remove this line
To use this variable within Validation Logic, select Custom
Variable from the Validation Logic dialog box. Specify the
variable name in the Value entry. In this example, the registry
key can either equal a 1 or 0. When the registry key is read,
the value is stored in the $DASystemTray variable. If the
value of the variable is True (or any other non-zero value),
the script element will be processed.
29
Administrator's Guide
If the variable does not result in a boolean value and will be
used as comparison to a string, the variable must be wrapped
within quotes. In the following example, $SiDesktopSize, the
variable results in the size of the computer desktop as a
string. For example, "1024x768". This variable is expressed
within quotes and compared to a string (within quotes) in the
Validation Logic dialog.
Desktop Authority provides no error control over custom variables.
A syntax error in your custom variable will cause Desktop Authority
to unexpectedly terminate.
Timing and Events
Frequency
Select Frequency to validate a configuration element for
users/computers based on the specified timing. Find the Frequency
Validation Logic type under the Timing and Events category. The
specified Cycle and/or Frequency values are compared against the
user, computer and UID. If the timing and UID conditions match,
the configuration element will be processed.
30
Concepts
Cycle
Select a time interval for which the element will validate.
Choose from Everyday, Day of Week, Monthly (Day of Week),
Monthly (Day of Month) andSpecific Date.
Selecting Every time as the cycle, will force the element to
validate each day at the specified frequency.
Selecting Day of Week as the cycle, presents a new list
allowing the selection of a day from Sunday to Saturday.
Selecting Monthly (Day of Week) as the cycle, presents a
new list allowing the selection of a day in the month ranging
from 1st Sunday, 1st Monday, . . . to the 5th Saturday of the
month.
Selecting Monthly (Day of Month) as the cycle, presents a
new list allowing the selection of a date within the month.
Selecting Specific Date as the cycle, presents an entry to
which the specific date should be entered. Press the arrow to
make your date selection from any calendar day.
Frequency
Select a logon frequency from the list. Select from Every
Time, Once Per Day (User), Once Per Day (Computer), One
Time (User) andOne Time (Computer).
Every time is used to validate an element at the specified
cycle, each time.
Select Once Per Day (User) to validate an element at the
specified cycle, one time per day for the current user.
Select Once Per Day (Computer) to validate an element at
the specified cycle, one time per day for the computer.
Select One Time (User) to validate an element at the
specified cycle, a single time for the current user.
Select One Time (Computer) to validate an element at the
specified cycle, a single time for the computer.
UID
The UID entry is used to make each element that uses a
Frequency Validation Logic type, a unique item, regardless of
its configurations. This is helpful when the Frequency is set to
Once Per Day or One Time. The data in the UID entry is
automatically generated and should not be modified.
However, if there is an element that is set execute Once Per
Day or One Time, and if it must execute a second time, the
UID can manually be changed by clicking Generate New.
31
Administrator's Guide
Time Range
Select Time Range to execute a configuration element if the
current time is within the Time Range specified. Find the Time
Range Validation Logic type under the Timing and Events category.
Enter the beginning of the time range in the first box and the
ending time range in the second box. The current time is compared
to the time range values and must fall into the range for the
configuration element to be processed.
Class
Desktop*
Use the Desktop validation to execute a configuration element on all
desktop computers.
Computers that use the Windows NT operating system detect a
desktop computer based on the existence of a PCMCIA device
driver. If the driver does not exist, the computer is considered a
desktop. On all other operating systems, a desktop computer is
determined based on the presence of a rechargeable battery. If no
battery is detected, the device is considered a desktop.
Portable*
Use the Portable validation logic to execute a configuration element
on all notebook devices. A portable device is considered any small
computer, light enough to carry, such as a laptop.
Tablet PC
Use the Tablet PC validation logic to execute a configuration element
on any Tablet PC. Tablet PCs run the Windows XP Tablet PC
operating system.
Embedded
Use the Embedded validation logic to execute a configuration
element on a client with an Embedded operating system.
Term Serv Client
Use the Term Serv Client validation logic to execute a configuration
element on a Terminal Server Client connection.
A resource is considered a Terminal Server Client if the operating
system is NT 4, TS Edition, or the operating system is Windows
Server with Terminal Services installed and the computer is running
in Application Server Mode.
32
Concepts
Member Server
Use the Member Server validation logic to execute a configuration
element on all member servers logging onto the network. A member
server is any server on the network that does not authenticate logon
requests.
Domain Controller
Use the Domain Controller validation logic to execute a configuration
element on all computers that are considered to be a Domain
Controller (PDC, BDC, or otherwise). A Domain Controller is any
computer that has the ability to authenticate logon requests.
*A complex rule set is used to distinguish the class of a computer.
This rule set involves the determination of CPU types, batteries and
PCMCIA drivers. The methods used to determine the class of a
computer is not foolproof. There are two instances where the class
of the computer may be incorrectly determined.
A notebook device may be determined to be a desktop on a non-NT
operating system if the battery is physically not in place in the
device. A desktop may be determined to be a portable device on a
non-NT operating system if the computer has a PCMCIA device.
Operating System
95*
Check this box to execute an element if the computer is running the
Windows 95 operating system.
98*
Check this box to execute an element if the computer is running the
Windows 98 operating system.
Me*
Check this box to execute an element if the computer is running the
Windows Me (Millennium Edition) operating system.
NT*
Check this box to execute an element if the computer is running the
Windows NT 4 operating system.
2000
Check this box to execute an element if the computer is running the
Windows 2000 operating system.
XP
Check this box to execute an element if the computer is running the
Windows XP operating system.
33
Administrator's Guide
2003
Check this box to execute an element if the computer is running the
Windows 2003 operating system.
Vista
Check this box to execute an element if the computer is running the
Windows Vista operating system.
2008
Check this box to execute an element is the computer is running the
Windows 2008 operating system.
*Windows 95, 98, Me and NT4 clients are no longer supported.
Connection Type
LAN
Check this box to execute a script element if the computer is directly
connected to the network.
Dial-up
Check this box to execute a script element if the computer is
connected to the network via a dial-up connection. A dial-up
connection includes RAS and VPN connections, provided the client
used a dial-up networking session to make the connection.
To disable a specific script element from being processed, clear the
Dial-up and LAN connection types. You will be warned that the entry
will not execute without at least one of the connection types
selected. The entry will appear in gray text to illustrate it has been
disabled.
Timing
Logon
Check this box to execute an element when a client logs on to the
computer. The element will execute during the logon process.
The Logon timing event will be disabled if the parent profile does not
have the Logon timing event box selected. This will make the Logon
event unavailable for execution at logon.
Desktop
Check this box to execute an element when a client logs on to the
computer. The element will execute after the logon process
completes.
34
Concepts
Logoff
Check this box to execute an element when a client logs off the
computer.
The Logoff timing event will be disabled if the parent profile does not
have the Logoff timing event box selected. This will make the Logoff
event unavailable for execution at logoff.
At logoff, an optional progress bar can be displayed to let the user
know that logoff operations are executing. The progress bar state
can be set on the Global Options > Visual tab.
Shut down
Check this box to execute an element when the operating system is
exited on a client computer.
Refresh
Check this box to execute an element every hour following a client
logon.
SLOGIC.BAT can be called to force a refresh event at any time.
Slogic.bat will take the following parameters: logon, logoff, refresh,
desktop, and shutdown.
Example:
%logonserver%\netlogon\slogic.bat /event [logon | logoff | refresh | desktop |
shutdown],
where one of the above mentioned refresh events will be passed to slogic.bat.
%logonserver%\netlogon\slogic.bat /eventrefresh
will force a refresh event to occur
%logonserver%\netlogon\slogic.bat /event logon
will force a logon event to occur
Each timing event is not necessarily available for all objects.
Only the available timing events for each object will be enabled
in the Timing validation box. Timing is not an available option
for the Time Synchronization and Microsoft Outlook Profiles
objects.
35
Administrator's Guide
WHAT ARE DYNAMIC VARIABLES?
A Dynamic Variable represents an area in memory that is reserved to
hold a specific value. The value of the variable is dynamic in that the
value will differ based on the current user. These variables are used to
hold temporary values during the execution of a logon or custom
script. All Desktop Authority dynamic variables are prefixed with a
dollar ($) sign. The rules for defining new dynamic variables follow the
KiXtart guidelines. More information on KiXtart can be found at
www.scriptlogic.com/kixtart.
There are two categories of Dynamic Variables: Predefined and
Custom. Predefined dynamic variables are ones that are defined by
Desktop Authority. Custom Scripts may override the value of these
variables. Desktop Authority can also make use of User Defined
Custom dynamic variables.
Predefined Dynamic Variables
In the Desktop Authority Manager, predefined dynamic variables are
used to aid in the creation of configuration elements. The great thing
about these variables is that since their values change based on the
current user/computer, a single configuration entry can be used for all
users/computers. You can be assured that at runtime when the logon
script is executed, the predefined dynamic variable will contain the
documented value based on the current user/computer.
For example, the predefined dynamic variable $UserId can be used to
denote the logon id of the current user. At runtime when the logon
script is executed, the $UserId variable will contain the userid of the
user currently logging on to the network.
Dynamic variables can be used throughout the Manager by typing the
name of the variable into the desired field or by pressing the F2 key
when the cursor is in any entry box. Pressing F2 will display a dialog
box similar to the following, allowing the selection of a predefined
variable from a visual list.
36
Concepts
To select a variable, select it in the list and click Insert or double-click
the variable. The selected variable will be inserted into the field at the
current cursor position.
Dynamic variables can also be used in custom scripts. When writing a
custom script there is no popup list of valid predefined dynamic
variables.
A complete list of predefined variables can be found on the ScriptLogic
web site.
Example Usage:
One of the most commonly used places for using Predefined
Dynamic Variables is in the Drive Mappings object. Use the
$HomeServer and $HomeDir variables to map a home drive for your
users.
37
Administrator's Guide
Custom Dynamic Variables
Custom Dynamic Variables can be pre-defined for use in the Manager
as well as in Custom Scripts. To use your custom dynamic variables in
the Manager, simply add the variable definition to the Definitions tab
of either the Global Options or the Profile dialogs. Defining a variable
within Global Options makes the variable available everywhere,
regardless of which profiles are processed on the client. Variables
defined in the profile’s Definitions tab are available only if the profile in
which the variable is defined is processed on the client. To add a
custom variable, simply click Edit on the Definitions tab.
Example Usage:
Instead of using the internal dynamic variable for the wallpaper file,
a custom Dynamic Variable can be created. Modify either the Global
Options or Profile Definitions file. Add a new custom variable called
$customwallpaper. Other code can be wrapped around this definition
to determine which group (department) the user belongs to. On the
Display object, enter $customwallpaper in the Wallpaper file box.
When the logon script is executed, the $customwallpaper variable is
evaluated and set for each user.
38
Installation
MINIMUM REQUIREMENTS
Desktop Authority requires installation within a NT/2000/2003 Domain.
It cannot be installed on a peer-to-peer network.
The following list represents Desktop Authority’s recommended Server
and Client requirements.
Minimum Server Requirements
Operating
System*
Service
Pack
Internet
Explorer
Memory
Disk
Space
Windows
2000
Server
IE 5.0 or
higher
along
with the
high
encryptio
n pack
512 MB
(recomm
ended 1
GB)
600
MB
Windows
2000
Server
SP3 or
greater
SP3
includes
IE with
high
encryptio
n pack
512 MB
(recomm
ended 1
GB)
600
MB
Windows
2003
SP1 or
greater
IE 6.0 or
higher
512 MB
(recomm
ended 1
GB)
600
MB
Windows
2003
Server 64bit
SP1 or
greater
IE 6.0 or
higher
512 MB
(recomm
ended
2+ GB)
600
MB
Windows
2008
Server
IE 7.0 or
higher
512 MB
(recomm
ended
2+ GB)
10 GB
Windows
2008
Server 64bit
IE 7.0 or
higher
512 MB
(recomm
ended
2+ GB)
10 GB
39
Administrator's Guide
* Desktop Authority may not be installed onto a server that is
running Microsoft Windows NT 4.0 Server, however, the Desktop
Authority Manager may be run from a shortcut on a machine with
Microsoft Windows NT 4.0 or greater. NT 4.0 domain controllers
will support the ScriptLogic Service and can act as replication
targets.
In order to run the Desktop Authority Manager from a shortcut on
a Windows XP client, it must have Service Pack 1 (SP1) or
greater installed.
Windows 2008 Server has Windows Firewall enabled by
default. When installing on Windows 2008 Server, the Desktop
Authority installation will prompt to create firewall exceptions. If
these exceptions are not set, a limited set of functionality will be
lost. This includes (but is not limited to) running Desktop
Authority Manager from a shortcut, installing Remote
Management and running ScriptLogic Service from a member
server.
By default, the Computer Browser service is disabled on Windows
2008 Server. Desktop Authority requires this service to be
started. The Desktop Authority Installation will be set for
Automatic Startup and started if it is not started during the
install.
Minimum Client Requirements
40
Operating
System
Memory
Disk Space
Windows
95**
64 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space)
Windows
98**
64 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space)
Windows
Me**
64 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space)
Windows NT4
SP6**
96 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space)
Windows
2000
128 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space)
Windows XP
128 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space)
Installation
Windows XP
64-bit
128 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space)
Windows
2003 Server
128 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space)
Windows
2003 Server
64-bit
128 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space)
Windows
Vista
512 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space
Windows
Vista 64-bit
512 MB
256 MB free space (Patch Management
and Service Pack installs require 1.5 GB
free space
Windows
2008
512 MB
512 MB free space
Windows
2008 Server
512 MB
512 MB free space
*Use of Anti-spyware, Patch Management, Software Management
and USB/Port Security requires Internet Explorer version 5.01
with the high encryption pack or Internet Explorer 5.5 or
greater.
*Use of USB/Port Security configurations on client workstations
require Windows 2000 SP4 with Rollup 1 or Windows XP SP 2.
**Windows 95, 98, Me and NT4 clients are no longer supported.
For detailed Operating System, Disk Space and RAM
requirements, refer to Article T1515, found in ScriptLogic's
Online Knowledge Base system.
41
Administrator's Guide
INSTALLATION PROCEDURE
Desktop Authority Folders
The Desktop Authority installation program creates the following folder
tree under the Program Files folder as a default location. This location
can be changed during the installation process.
\ScriptLogic Manager
This folder consists of all necessary program files needed by the
program manager. This includes online help and default configurations
for the Desktop Authority Manager. This folder is shared as SLOGIC$
by the default installation.
\ScriptLogic Manager\DesktopAuthority.
This shared folder contains the Desktop Authority programs to be
deployed to client workstations for the Remote Management
component. This folder is shared as SLDAClient$.
\ScriptLogic Manager\Logs
The Logs folder contains all log files created and configured as
specified on the Logging object found within each profile. This folder
is shared as LOGS$ by the default installation.
42
Installation
\ScriptLogic Manager\Modules
This folder and all subfolders contain necessary program files used
to run various modules of Desktop Authority.
\ScriptLogic Manager\MS Updates
The MS updates folder contains various files that are needed for
proper execution of Desktop Authority. You will be prompted if these
files must be installed.
\ScriptLogic Manager\Repositories
The Repositories folder contains all Generated Reports, Pre-Defined
Reports and User-Defined Reports files.
\ScriptLogic Manager\Scripts
The Scripts folder includes all necessary files to load and run KiXtart
and Desktop Authority scripts. This folder includes the configurations
made in the Desktop Authority Configurations dialog box. The files
in the Scripts folder will be published to the domain controllers when
replication is requested. This folder is shared as SLSCRIPTS$ by
the default installation.
\ScriptLogic Manager\Services
The Services folder contains the files necessary to create and
configure the ScriptLogic and Update services.
\ScriptLogic Manager\SLMSDEScripts
The SLMSDEScripts folder is used by the system. It holds database
scripts that will create and update the ScriptLogic database. The
contents of this folder should not be modified.
\ScriptLogic Manager\Software Management
The Software Management folder contains necessary files for
Software Management and Deployment.
\ScriptLogic Manager\TemplateFiles
The TemplateFiles folder contains a copy of administrative templates
that are imported into Desktop Authority. By default, all
administrative templates found in the Windows folder are
automatically imported into this folder and are automatically
available for use within the Manager.
43
Administrator's Guide
INSTALLATION CHECKLIST
Where should Desktop Authority be installed?
Desktop Authority may be installed to any Domain Controller or
Member Server using Microsoft Windows 2000 or above. Once Desktop
Authority is installed, the Manager can run from a shortcut on a
machine with Microsoft Windows NT 4.0 or greater.
Two special user accounts must be available before the
install is started.
Conventional scripts typically execute under the security context of the
user logging on. Unless users are made administrators of their own
machines, the ability to perform administrative tasks through a
centralized logon script will be limited to each user's rights on their
computer.
One of the key advantages offered by Desktop Authority is the ability
to perform tasks that require administrative rights without sacrificing
user-level security at the workstation. By using a specialized service,
Desktop Authority is able to make changes to the registry, install
software, add printers, synchronize time and perform any other tasks
that require elevated rights during the logon, logoff or shut down
sequences.
During setup, the ScriptLogic Service will be installed on one or more
designated servers. When needed, this service will get automatically
deployed to workstations during the logon process.
To install the ScriptLogic service, two unique sets of user credentials
must be supplied. One user account must have local administrative
rights on each workstation. By default, the Domain Admins group is a
member of the local Administrators group on each workstation, so
selecting a user account that belongs to the Domain Admins group
would satisfy this requirement. This account will be used by the
ScriptLogic service on each server to remotely install the ScriptLogic
service on each workstation.
In addition, both the Desktop Authority OpsMaster service and the
Update Service require an account with local administrative rights.
These services will run under the context of this user account.
44
Installation
The second user account will be used by the ScriptLogic service on
each workstation to perform the actual tasks that require the elevated
administrative rights. This user account only needs to be a member of
the Domain Users group.
Be sure to remember the logon name and password for these
accounts. You will be prompted for it during the install if you
choose to install the ScriptLogic service.
Allowing the Desktop Authority setup program to install the service to
all domain controllers is preferred and provides the best form of loadbalancing.
If you cannot install these services at the time of the install, they can
be installed at a later time using Server Manager. It is recommended
that this be set up during the installation.
45
Administrator's Guide
INSTALLATION BACKUP
The simplest way to secure your files before upgrading is to
navigate to C:\Program Files\ScriptLogic Manager (using
Windows Explorer) on the domain controller where Desktop Authority
is installed. Press CTRL-A to select all files in this folder. Press CTRL-C
to copy the files to the clipboard. Create a new folder and press CTRLV to paste these files into this new backup folder.
46
Installation
INSTALLING DESKTOP AUTHORITY
The following series of steps walk you through the installation of
Desktop Authority. Although Desktop Authority can be installed on a
Domain Controller, ScriptLogic Corporation suggests installing Desktop
Authority on a Member Server (with a NETLOGON share). Be sure to
read the Installation Checklist to make sure your systems meet the
minimum requirements and learn about the information you will need
to know for the setup.
The Desktop Authority installation requires administrative rights. If you
are not logged on as an administrator, please log on as an
administrator before beginning the installation.
If you are installing Desktop Authority from a CD and your CD-ROM
supports AutoRun, the Desktop Authority install will begin
automatically. If the installation program does not begin automatically,
press the Windows Start button and select Run. At the prompt, type
x:\setup.exe, where x is the
letter of your CD-ROM drive. Click OK.
The installation wizard walks through a series of dialog boxes
prompting for information that is needed to copy the Desktop
Authority program to your server as well as configure Desktop
Authority for its initial use. Click Next on each dialog box to advance
to the next option. Click Back to go to the prior dialog box. Click
Cancel to abort the install.
1. Welcome is the initial dialog box. Click Next to continue.
2. The License Agreement dialog box appears. If you agree with
the license agreement, select the I accept the terms of the
license agreement option. Click Next to continue.
3. The following information dialog describes the required
prerequisite components that Desktop Authority will install if
necessary. The listed components will be installed following the
installation if they do not already exist. These components
include Windows Installer version 3.1, Microsoft Data Access
Components (MDAC) version 2.8, SQL Distributed Management
Objects (SQL-DMO), Microsoft SQL Server 2005 Express Edition
(only required if this is the selected database during the
install), Microsoft .NET Framework 1.1 and Microsoft .NET
Framework 2.0 (only required if SQL Server 2005 Express
Edition is the selected database during the install). Click Next
to continue.
47
Administrator's Guide
4. If the install is an upgrade of Desktop Authority, select from
either Typical Installation or Express Upgrade.
A typical installation will request Customer Information (User
Name and Company Name), provide version Release Notes,
destination path, Log path and Log share details. This option
should be selected for first time installations of the product or
to view or change any of the mentioned dialogs.
Express upgrade will skip the above mentioned dialogs and go
directly to the Ready to Install the Program dialog. This option
should be chosen for upgrades only. If Express upgrade is
chosen, skip to step 10 below.
Click Next to continue.
5. On the Customer Information dialog enter User Name,
Company Name and Serial Number in the appropriate
entries (User Name and Company Name are required). If you
have purchased Desktop Authority, enter your registration
code. Users evaluating Desktop Authority should leave the
registration code blank.
Click Next to continue.
6. On the Choose Destination Location dialog box, select a
path and destination folder. The default installation path is
x:\Program Files\ScriptLogic Manager. Press the Change
button to select a different path. Click Next to continue. Select
a setup destination. Select This Computer to install Desktop
Authority to the computer which is running the installation
program.
Click Next to continue.
7. Desktop Authority can automatically record logon information
to a central location. Each day, a Comma Separated Value file
will be created in the destination folder you select. The contents
of the log files are customizable within each profile's logging
object.
The default log path is x:\Program Files\ScriptLogic
Manager\Logs. To select a different path, click Browse and
select a new path and destination folder.
Choose this directory carefully. Log files grow in size as
they are constantly updated every time a user logs into
the network. Make sure the drive has enough available
disk space to handle these logs.
Click Next to continue.
48
Installation
8. The Select Log Share dialog box appears. Enter the share
name of the Logs folder. By default, the installation program
creates this share name as LOGS$. Leave this entry blank to
disable logging.
Logging may be enabled at a later time within the
Desktop Authority Manager.
Click Next to continue.
9. If you are upgrading Desktop Authority the previous version will
be detected at this point. You are informed that all existing
configurations will be saved. Click OK button to continue to
accept the notification.
Before installing any product upgrade, a complete
backup should be performed.
10. Click Install on the Ready to Install the Program dialog to
proceed with the installation.
11. After the installation is finished, click Finish on the Setup
Complete dialog to complete the installation and begin the
configuration stage.
12. On Windows 2008 Servers, the Computer Browser Service is
disabled by default. Desktop Authority requires this service to
be started. If the service is not started, the install will prompt
to set the service to Automatic Startup. Click Yes to start the
service.
49
Administrator's Guide
13. The first time the Manager is loaded, a new installation state
will be detected, prerequisites will be installed and the backend
database configurations will be created.
Click Yes to allow the prerequisites to be installed. Click No to
exit the Desktop Authority configuration phase.
SQL-DMO (Distributed Management Objects) provides a
programmatic (COM) interface to SQL Server. Desktop
Authority uses this to access SQL Server databases. Click Yes
to install SQL-DMO. Click No to exit the Desktop Authority
configuration phase.
The Desktop Authority Manager requires the presence of
Microsoft Visual C++ 2005 Redistributables on the machine.
Click Yes to install this package. Click No to exit the Desktop
Authority configuration phase.
50
Installation
14. Desktop Authority requires an instance of either Microsoft SQL
or Microsoft SQL Server 2005 Express Edition. The database is
used to store all configurations as well as a data collection
repository for reporting. Desktop Authority can install a new
instance of SQL Server 2005 Express or use an existing SQL
Server instance. Select an option in the dialog.
When choosing to use an existing SQL Server instance, type in
the SERVERNAME\INSTANCE or press the Refresh List button
to gather up existing instances for selection in the drop list.
Select an authentication method for SQL Server.
Click OK to continue. Click Cancel to exit the Desktop
Authority configuration phase.
51
Administrator's Guide
15. If SQL Server 2005 Express Edition was selected to be used
with Desktop Authority, it will now be downloaded and installed
along with the Microsoft .NET Framework Version 2.0
Redistributable Package which is required by SQL Server 2005
Express.
Click Download to start this process.
52
Installation
16. Next, a folder must be selected to hold the database files.
Locate and select a folder.
The default database location is c:\Program
Files\ScriptLogic\Databases.
Click OK to deploy and populate the database instances.
53
Administrator's Guide
17. The OpsMaster Service will now be configured. This service is a
background service that is used to manage and configure
Desktop Authority's plugins. These plugins are used to perform
specific operations such as audit data collection and the
execution of scheduled reports. Enter the User name and
Password for a user account that belongs to the Domain
Admins group. The user name should be entered in the
to use the Resource
form of Domain\Username. Click
Browser to browse the network and select an appropriate user.
Click OK to continue.
54
Installation
18. The OpsMaster service by default will run on port 8017. If this
port is being used by another application, enter an available
port. If a firewall is being used, be sure the port entered here is
configured for use with the firewall.
19. Desktop Authority configuration can add a selected Group to
the Role Based Administration system. This group will be
granted Super Users/Groups permissions. Super Users/Groups
have unlimited access to Desktop Authority configurations.
Enter a Group (Domain\Group) or select the group from the
browser and press OK.
55
Administrator's Guide
20. Server Manager will be now be configured. Server Manager
must be updated with appropriate Domain Controllers
and member servers and the ScriptLogic service must be
installed/updated.
If this is the first-time installing Desktop Authority (i.e. not an
upgrade), you will be prompted to auto-detect the Domain
Controllers on your network. Click Yes to automatically allow
Desktop Authority to locate your domain controllers and
populate them in the list. You can manually update the server
list by clicking No. To manually add a server to the server list,
click Add from the Server Manager dialog. To force Server
Manager to automatically discover your networks servers, click
Discover from the Server Manager dialog.
You are now prompted to deploy the ScriptLogic service to all
domain controllers in the server manager list. Click Yes to
deploy the service. Click No to deploy the service manually at a
later time. To install the ScriptLogic service manually, from the
Server Manager, click on the individual service cell or the
ScriptLogic Service column header to select all servers.
Right-click on the selected server(s) and select Install or
Update image from the shortcut menu.
56
Installation
Enter the Login Id and Password for both a Domain Admin and
a Domain User account. These entries are required for the
service to be installed. The Domain must also be provided. Click
More Info to read about these two necessary accounts.
Click OK to continue. In a few moments the service will be
installed/updated and started on the selected server(s) and the
Manager is loaded.
57
Administrator's Guide
21. If either the Patch Management or Anti-Spyware features will
be used, the Update Service must be installed and started. This
is done from the Service Management tab within the Server
Manager.
To install or update the Update Service, click on the individual
service cell or the Update Service column header to select all
servers. Right-click on the selected server(s) and select Install
or Update image from the shortcut menu.
Enter the Log on as and Password for a Domain Admin account.
This entry is required for the service to be installed.
Click OK to continue. In a few moments the service will be
installed/updated and started on the selected server(s).
22. For each server in the Server Manager list, confirm the Target
column. The box should be checked for each server that will
host Desktop Authority’s configuration files for replication. This
should be checked for all authenticating domain controllers.
58
Installation
REGISTRATION
If no registration code was entered at the time Desktop Authority
was installed, you must register your product to remove the evaluation
time period. A registration code is provided at the time of purchase. All
configurations made during the evaluation period are immediately
available after the registration key code is entered. You can continue
all administrative functions immediately.
Enter the provided registration key code by selecting Product
Registration from the Help menu or select the Desktop Authority
Registration program in the ScriptLogic program group from your
Windows Start menu. The following dialog box opens:
Fill in the following entries on the registration dialog box:
Name
Enter the Name that Desktop Authority is registered with. Make sure
to type this information carefully. This entry is case-sensitive and
must be the same name it was purchased with.
Company
Enter the Company that Desktop Authority is registered with. Make
sure to type this information carefully. This entry is case-sensitive
and must be the same company name it was purchased with.
59
Administrator's Guide
Key
Enter the registration key supplied at the time of purchase.
Click Register after entering the above information. If any of the
above fields are incorrect, you will be prompted with an appropriate
message.
If you have been supplied with a copy of a register.ini file, click
Browse to locate it. If chosen, the register.ini file will automatically fill
in the Name, Company and Registration Key entries.
If all registration data is entered and verified to be correct, you are
prompted to replicate the change to the domain controllers. Click Yes
to replicate the registration data or No to replicate the data at a later
time. The registration process does not become effective until the data
is replicated.
Once the product is registered and the information is replicated, the
Desktop Authority Manager will display the registered owner’s name
and license information.
Updated registration information is not displayed in the
Desktop Authority Manager or on client machines until the
client logs back onto the network following the time that the
registration information is entered and replicated through the
system.
60
Installation
OPTIONAL COMPONENTS
Spyware Detection and Removal option (not available in
Desktop Authority Express)
Out of the box, Desktop Authority offers the ability to download
spyware definition updates and detect spyware on desktops. In
other words, without purchasing the Spyware Removal option,
administrators can find out exactly how much spyware is currently
residing on desktops across the network.
Once the Spyware Removal option is enabled, quarantining and
removal options are available to rid client machines of unwanted
spyware. In the event that SDR reports that an application is
classified as spyware even though it is known to be benign or an
acceptable risk, SDR can be configured to exclude that application
from detection.
Patch Deployment for Desktops option (not available in
Desktop Authority Express)
The Patch Deployment for Desktops option takes the tasks of
downloading patches from Microsoft, distributing them to
deployment servers, selecting appropriate patches, selecting clients
and deploying patches, and wraps them all up into the easy-to-use
Desktop Authority Manager console, minimizing the amount of time
required by administrators to manage patch deployment, while
maximizing control over the patch management process.
61
Administrator's Guide
USB/Port Security option (not available in Desktop
Authority Express)
The myriad of portable storage mediums today make it essential for
corporations to prohibit or monitor the use of certain devices on the
company network. These devices can be very harmful to a
corporation. Confidential data can easily be copied to any portable
device, viruses can be introduced to the network and spread
corporate wide and illegal software can be copied to the company
network.
Desktop Authority helps the enterprise control this problem by
introducing USB/Port Security. USB/Port Security is an optional addon that enables the enterprise to restrict users and/or groups from
using specified types of removable storage devices by restricting
access to them. By creating rules within Desktop Authority, a
permanent access control list is made available for all portable
devices and is configured on each computer that matches the
defined Validation Logic.
62
The User Interface
OVERVIEW
The Desktop Authority Manager is the Administrator's tool to centrally
manage profiles and client configurations. All Desktop Authority
configurations are defined within the manager. The manager is also
used to replicate and deploy settings to clients during the logon
process. It also provides access to configure Global, Profile, and
Remote Management settings. Server Manager and Report Generator
are also accessed from within the manager.
The Desktop Authority Manager is comprised of the following sections:
•
Menu Bar
•
Toolbar
•
Navigation pane
•
View pane
•
Status Bar
The Manager requires Internet Explorer version 4.01 or greater to be
installed. If Patch Management or Anti-Spyware are deployed, Internet
Explorer version 4.10 SP2 is required.
63
Administrator's Guide
The figure below shows the location of each section in the manager.
Menu Bar
The menu bar provides pull-down menus that save and replicate the
Manager's changes, maintain and/or update profiles in the navigation
tree, customize the look of the manager, provide access to Server
Manager, Report Generator and Remote Management. Help is also
available from the menu bar. These menu items are also available in
their respective part of the Navigation pane.
Some selections on the menu bar may be unavailable (disabled)
depending on the currently selected functionality.
Toolbar
The Toolbar provides icons for fast and easy access to commonly used
functions. The available toolbar icons are New (Profile and
Configuration Element), Save changes, Replicate changes, Server
Manager, Report Generator, Cut, Copy, Paste, Undo, Redo, Print,
About, Move up and Move down.
64
The User Interface
Navigation Pane
The Navigation pane is used to select an object to work with. The View
pane changes based on the object selected in the Navigation pane.
View Pane
The View pane is used to set configurations for the currently selected
object in the Navigation pane.
Status Bar
The status bar shows the current status of manager. It can be either
Red (not saved), Yellow (saved, not replicated) or Green (saved and
replicated).
65
Administrator's Guide
MENU BAR
The Menu Bar provides five menus used to perform operations on the
various elements in the Navigation pane. Menu items are enabled or
disabled according to the selected item in the Navigation pane.
Disabled menu items appear on the menu but are grayed out and will
not perform any action if clicked on.
Menu
Description
File
Use the File menu to Save and Replicate changes. You
can also Queue an Update of Client files, Import and
Export profiles, set program Preferences, Create
program shortcuts and set Global System settings.
Edit
Use the Edit menu to add new profiles and update
configuration entries in existing profiles. This menu
includes items for New Element, Undo, Redo, Cut,
Copy, Paste, Delete and New Profile.
View
Use the View menu to change the appearance of the
Manager. This includes managing the Manager's
toolbars, Status bar, Shortcut Pane, Toolbar themes,
Pane themes, and sorting of profile objects. Server
Manager can also be run from the View menu. Select
Reset to Default to set the Manager's orientation back
to its default view which includes the Navigation Pane,
Shortcut Pane and View Pane.
Role Based
Administration
Use the Role Based Administration menu to configure
Super Users/Groups and define Global Roles that
define the resource actions that are allowed by any
member assigned under the role. Also, select to
Change the Operations Master service Credentials from
this menu.
Remote
Management
(not available
for Desktop
Authority
Express)
Help
66
Use the Remote Management menu to Remotely
Manage the highlighted computer in the Remote
Management tree of the Navigation Pane.
Use the Help menu to display Help on the selected
item. The Help menu also displays information about
the Manager.
The User Interface
TOOLBAR
The toolbar provides icons that provide access to the most commonly
used Manager functions. Access to each item is based on the object
selected in the Navigation pane. If an icon on the toolbar does not
apply to the selected object in the Navigation pane, it is disabled.
Disabled icons appear on the toolbar but are grayed out and will not
perform any action if clicked on. Move the mouse cursor over any
available icon to view a description of it use.
Button
Name
Function
New
New configuration entry
or new profile.
Save
Save all changes
Replicate
Server Manager
Report Generator
Cut
Replicate changes.
Run Server
Manager
Run Report
Generator
Cut selected text
Copy
Copy selected text
Paste
Paste selected text
Undo
Undo action
Redo
Redo action
About
About
Move Up
Move Down
Move configuration
element or profile up.
Move configuration element or
profile down.
67
Administrator's Guide
VIEW PANE
The View pane contains all content for the selected object on the
Navigation pane. For most objects the View pane contains a list to the top of
the pane and configuration tabs below the list.
Shortcuts
All configuration lists use a common shortcut key of CTRL-A to
Select all items in the list.
Drag and Drop
Elements in the Configuration lists may be prioritized by clicking
Move Up ( ) and Move Down ( ) on the toolbar or by Selecting
specific elements and drag them to a new location in the list.
Toggle Description Column
The Description column in the Configuration list may be toggled to
be displayed or hidden by pressing the F3 key.
68
The User Interface
NAVIGATION PANE
The Navigation pane contains a hierarchical tree that displays the
available objects in the Manager. The manager tree features
functionality for
•
System Dashboard
•
Global Options
•
Remote Management (not available for Desktop Authority
Express)
•
Profile Configurations
Click / to expand or contract each object on the manager's tree.
Double-clicking will also expand or contract the tree objects. Upon
selecting an object from the navigation tree the View pane will change
to reflect the specific settings for that object.
69
Administrator's Guide
STATUS BAR
The Desktop Authority Manager contains a status bar which displays a
colored LED. This LED indicates the status of the Manager's current
configurations. This tells at a glance if the most recent configuration
changes have been saved and/or replicated.
The LEDs represent the following statuses:
(Red) This status indicates that the updated configurations have
not been saved or replicated.
(Yellow) This status indicates that the configurations have been
saved but have not yet been replicated.
(Green) This status indicates all changes made within the Manager
have been successfully saved and replicated.
70
The User Interface
SHORTCUT PANE
The Shortcut pane is used to provide links to
commonly used functions of the program.
Upon entry into the manager, the shortcut
pane is closed. It can be shown by selecting
Shortcut Pane from the View menu. Close
the Pane by again selecting Shortcut Pane
on the
from the View menu or by clicking
top right of the pane. The Shortcut Pane is
broken up into two groups, Web links and
Quick Actions.
The Web Links section of the Shortcut Pane
provides links to the ScriptLogic web site,
home page, support and discussion forums
pages.
The Quick Actions section provides links to
Save and Replicate changes in the Manager.
71
Administrator's Guide
PREFERENCES
The Preferences dialog presents several options that are used to
configure the Manager’s settings. Select Preferences... from the File
menu on the Manager's menu bar.
Edit tab
The Edit tab provides several options that configure the way each
object configuration list works. These options set up an optional
confirmation when deleting list elements, as wells as default
description options for list elements.
Default description for new list elements
Each object configuration element has a description associated with
it. Specify the default description for use on each new configuration
element. Several predefined dynamic variables may be used in the
description. They are currently limited to: $USERID, $FULLNAME,
$WKSTA, $DATE and $TIME.
The description may be overridden for each configuration element.
By default, hide description column
Select this box to hide the description column in the object
configuration lists. Clear this check box to display the description
column in the object configuration lists. Press F3 to toggle the
Description column, on and off, within the list.
72
The User Interface
Custom Script Editor
Define the program to execute when creating or modifying custom
scripts. Any ASCII editor may be used. There are several third-party
specialized KiXtart-aware editors available.
to find the program location. The default Custom Script
Click
Editor is Notepad.exe.
Advanced tab
The Advanced tab provides several advanced options that the Desktop
Authority Manager uses at startup. These options include Resource
Browser options and Deep Drive Mapping options.
Enumerate resources from this DC:
Tell Desktop Authority to use a specific domain controller in order to
enumerate Group and User information. A Domain Controller may
be manually typed into the field or selected by pressing the Select
, button. Leave blank to allow the network to decide
Server,
which DC to query for necessary resources.
By default, show hidden shares in resource browser Select or clear
this check box to control the default value of the Show Hidden
option on the Desktop Authority resource browser. The Resource
Browser is the file browser that is called when
is clicked.
73
Administrator's Guide
By default, allow deep drive mappings in resource browser
Deep Drive Mappings provide the ability to allow drive mappings to
a subfolder inside a network share as opposed to solely the network
share.
Select or Clear this check box to control the default value of the
Deep Mapping option on the Desktop Authority resource browser.
The Resource Browser is the file browser that is called when
clicked.
is
Deep drive mappings are fully supported on Windows 2000
operating systems or newer. A Windows NT 4.0 client can
only perform a deep mapping if the Dfs client component is
installed. Desktop Authority will disallow the selection of 95,
98, Me and NT operating systems when deep drive mappings
are used*.
**Windows 95, 98, Me and NT4 clients are no longer supported.
74
The User Interface
CREATE PROGRAM SHORTCUTS
The Create program shortcuts menu selection will easily create
Desktop Authority shortcuts in the Start menu Programs group and on
the desktop.
Click Ok to proceed with shortcut creation.
Click Cancel to return to the manager without creating shortcuts.
75
Administrator's Guide
THEMES
The Desktop Authority Manager supports various Themes that each
provides for a different look to the Toolbars and Panes of the manager.
Toolbar Themes
Office XP
Office 2000
Office 2003
Windows XP
76
The User Interface
Pane Themes
Office
Grippered
Visio
Office 2003
Windows XP
77
Administrator's Guide
RESOURCE BROWSER
The Resource Browser dialog, most commonly used to configure
validation logic, is used to select a specific object from the network
resources. The selectable objects are domain, group, OU, user,
computer name, file name, folder, servers and printers. The contents
of the dialog are based on the object that the Resource Browser is
called from.
The
78
icon is used to call the Resource Browser.
The User Interface
GLOBAL SYSTEM SETTINGS
SMTP Settings
The Reporting object includes a report scheduler and can email reports
to specific users or a distribution list.
System SMTP Server
The name of the SMTP server that email will be sent through.
System SMTP Port
The SMTP port that the server is listening on.
System SMTP UserID
Some SMTP servers require a userid and password in order to send
mail. Enter the SMTP UserID here.
System SMTP Password
Some SMTP servers require a userid and password in order to send
mail. Enter the SMTP Password here.
79
Administrator's Guide
HTTP Settings
The Desktop Authority OpsMaster service runs Web Services and uses
the following options to communicate
System HTTP Server
The server that the OpsMaster service is running on.
System HTTP Port
The port that the OpsMaster is listening on.
Reporting SQL Settings
Server
The database server where the Reporting database is held.
Database
The name of the reporting database, by default this is
DAREPORTING.
Configuration SQL Settings
The Configuration database holds all data that the Manager uses to
configure profiles.
Server
The database server where the Configuration database is held..
Database
The name of the configuration database, by default this is
DACONFIGURATION.
ADMX File Location
Enter the path where ADMX files will be copied to when imported into
Desktop Authority. This is the folder DA will use to manage all
imported ADMX files. Click
80
to browse to the path.
The User Interface
USING AND CONFIGURING PROFILES
A Profile is a collection of elements that define a set of configurations
and default profile settings, including log file definitions, default
descriptions, default Validation Logic settings, alerts and custom
scripts. Profiles are applied to a particular category of users or
computers based on the validation logic defined in the profile settings.
A profile may contain other profiles (children). This allows for greater
flexibility and further granularity for its contained configuration
elements.
Profiles are evaluated and applied to the current user's working
environment during the logon and/or logoff process. Only profiles that
pass the Validation Logic test will be executed at the specified time on
the client.
Using profiles enables greater manageability and control over client
configurations. Using profiles also offers the reward of faster logon
script processing. Since profiles tend to break down a large number of
configurations into smaller groups of configurations, not all settings
are processed or validated at logon time. If a profile is deemed to be
invalid for the client, all elements in the profile are bypassed thus
saving the processing time it would have normally taken to validate
each of the elements separately.
The Manager displays profiles within the Profiles branch of the
Navigation tree. Profiles are listed in the order that they will
be evaluated for execution. Click / on a profile to expand or
contract the objects contained within the profile. Double-clicking the
profile name will also expand or contract the contained objects. The
and
order of the profiles may be rearranged by clicking the
toolbar buttons. Profile ordering can also be rearranged by using a
drag-and-drop operation.
81
Administrator's Guide
Profile Management
Creating Parent (top level) Profiles
To create a new parent or top level profile,
1. Right-click on the Profiles branch of the navigation tree.
2. Select New Profile from the shortcut menu.
3. The new profile is added as the last profile in the Profiles
list.
4. Enter the new profile's name.
Every newly created profile is automatically assigned a Profile Admin
Role by default. The Profile Admin role by default has full access to
Add, Change and Delete elements in all Profile objects as well as the
ability to add, change and delete profiles.
Creating Child Profiles
Profiles may contain child (sub) profiles. A child profile is a profile
that is contained within another profile. The child profile will be
evaluated for execution if and only if the validation logic for the
profile above it is true.
To create a child profile,
5. Right-click on the parent profile to which the child profile
will be added under.
6. Select New Child Profile from the shortcut menu.
7. The new profile will be added as the last child profile within
it's parent.
8. Enter the new child profile's name.
Every newly created profile is automatically assigned a Profile Admin
Role by default. The Profile Admin role by default has full access to
Add, Change and Delete elements in all Profile objects as well as the
ability to add, change and delete profiles.
82
The User Interface
Deleting Profiles
To delete a profile,
1. Right-click on the profile to be deleted.
2. Select Delete Profile from the shortcut menu.
3. On the deletion confirmation dialog, click Yes to remove the
selected profile along with any child profile within it. Click
No to cancel the deletion.
4. If the deletion if confirmed, click Yes on the subsequent
dialog to permanently remove the physical file that contains
the profiles configurations. Click No to leave the
configuration file in the SLSCRIPTS share. Leaving the file in
the share provides the opportunity to recreate the profile by
importing the file in the future.
Copying Profiles
To copy a profile,
1. Right-click on the profile to be copied.
2. Select Copy from the shortcut menu.
3. The profile is copied to the clipboard. It is now available to
paste from the clipboard to another location
4. To paste this profile as a child profile, right-click on a Profile
name and select Paste from the shortcut menu. To paste
this profile as a parent (top level) profile, right-click on
Profiles and select Paste from the shortcut menu.
Moving Profiles
Profiles can be moved within a parent profile to change the order in
which it is evaluated, they can be moved into another profile or they
can be moved to a parent (top) level profile.
To move a profile,
1. Select the profile to move by clicking on it. Holding the left
mouse button down, drag the profile to the location it will
be moved to and drop it by releasing the left mouse button.
A profile cannot be moved to a child profile within itself.
or
1. Placement of a profile can also be changed by clicking or on
the toolbar. This will move a child profile up one or down
one within its parent, or a parent (top) level profile up or
down one within the parent profile processing order.
83
Administrator's Guide
Import Profiles
Profiles can be imported for the use of restoring a previously
exported profile, or for importing into another Desktop Authority
Manager.
To import a profile,
1. Right-click on the profile to be imported.
2. Select Import from the shortcut menu.
Export Profiles
Profiles can be exported for the use of a backup, or for importing
into another Desktop Authority Manager. Export copies the selected
profiles configurations (profile.slc, profile.sld and profile.slp) to a
selected location.
To export a profile,
1. Right-click on the profile to be exported.
2. Select Export from the shortcut menu.
3. Select a destination folder.
Exporting a profile does not include any child profiles. They must be
exported separately.
Profile Configuration
Validation Logic
Validation Logic is used in conjunction with profiles to determine
whether the configuration elements within a profile should be
considered for processing on the client. Once the profile passes the
validation test, each configuration element within the profile is
processed. These entries are first verified by testing the validation
logic defined for the entry. If the entry passes the validation logic
test, it is executed on the client. If the validation logic for the profile
does not meet the client specifications then no elements within the
profile are processed.
It is important to keep in mind that not all configuration elements
will be executed on a client just because a profile passes the
validation logic test. This is due to the secondary validation logic
provided for, on individual configuration element within the profile.
For detailed information about Validation Logic settings see the
Validation Logic concepts help topic.
Only a Super User/Group has the ability to change the
Validation Logic on a root level profile.
84
The User Interface
Default Validation Logic
Default Validation Logic is used to provide defaults to any new
configuration element defined within the profile. Changing the
Default Validation Logic for a profile will not change the validation
logic defined for the profile or any existing configuration element.
For detailed information about Validation Logic settings see the
Validation Logic concepts help topic.
Only a Super User/Group has the ability to change the
Default Validation Logic on a root level profile.
Definitions
The Definitions tab is available in order to define custom dynamic
variables. These variables may be used in any custom script within
the profile or any configuration element that uses the Custom
Variable validation logic type. Press the Edit button to add entries to
the definitions file. The definitions file may only contain valid KiXtart
script code.
Only a Super User/Group has the ability to change the
Definitions on a root level profile.
Advanced
The Advanced tab contains specialized profile options.
Select the If this profile is validated during execution, do not process
any subsequent profiles option, to stop processing all following
profiles once this profile is validated and processed.
Keep in mind that profiles are processed in the order that they
appear in the navigation pane. The order of the profiles may be
rearranged by using any of the methods described in the Profile
Management topic.
Only a Super User/Group has the ability to change the
Advanced options on a root level profile.
85
Administrator's Guide
Permissions
The Permissions tab is used to assign permissions to users by
assigning a user to a role.
Roles are created from the Role Based Administration menu
selection. Most often roles are established to represent a common
job function that is performed by one or more employees. A role
defines the functions that a member of the role will be able to
perform.
For more detail on using Role Based Administration, see Role Based
Administration Overview.
To update the members of a role, select the Role from the Roles list.
Click Add Member or Delete Member to update the Members list.
Only a Super User/Group has the ability to change the
Permissions on a root level profile.
86
The User Interface
USING AND CONFIGURING PROFILE OBJECTS
The View Pane for each object within a profile is divided into two
sections. The Configuration Element List and the Configuration
Element Settings.
The Configuration list is where all settings for the object are held. As
Desktop Authority processes the configuration elements defined by the
configuration list, Validation Logic is applied to each element,
beginning with the top of the list. Prioritize the list entries by clicking
Move Up ( ) and Move Down ( ) to reorganize the list.
and/or
from the tool bar to undo or redo a
Click
configuration element setting.
The bottom half of the object's View Pane contains the settings for
individual configuration elements for the object.
87
Administrator's Guide
Using the Configuration Element List
Creating Configuration Elements
To create a new configuration element,
1. Right-click on the configuration list.
2. Select either New Element or New Element at Selection
from the shortcut menu.
New Element will insert a new configuration element at the
bottom of the list. New Element at Selection will insert a
new configuration element above the currently selected
element in the list.
A configuration element may also be added to the list by
selecting New Element from the Edit menu.
88
The User Interface
Modifying Configuration Elements
Modifying a configuration element is simple. Once the element is
selected in the configuration list, the Settings tab will automatically
display the settings for the element. Change as needed.
Multiple elements may be modified together. Select multiple
elements using the standard Windows techniques. Select all
elements in a list by pressing CTRL-A or by selecting Select All from
the Edit menu. Once the elements are selected, their settings will be
shown on the Settings tab. Any control on the settings tab that has
different values for all selected elements will clear the value from
display. Check boxes with different values will display .
89
Administrator's Guide
Deleting Configuration Elements
To delete a configuration element,
1. Right-click on an element in the configuration list.
2. Select Delete from the shortcut menu.
The element is immediately removed from the list.
Configuration elements may also be deleted by pressing the
DEL key after selecting the element or by selecting Delete
from the Edit menu. Select multiple elements for deletion
using the standard Windows techniques. Select all elements
in a list by pressing CTRL-A or by selecting Select All from
the Edit menu.
90
The User Interface
Copying Configuration Elements
To copy a configuration element,
1. Right-click on an element in the configuration list.
2. Select Copy from the shortcut menu.
3. Paste the element into a new position in the list by rightclicking in the configuration list. Select Paste from the
shortcut menu.
A configuration element may also be copied by selecting the
element in the configuration and choosing Copy and Paste
from the Edit menu or by pressing CTRL-C and CTRL-P. One
or more configuration elements may be copied and pasted
into a configuration list. Select multiple configuration
elements using the standard Windows techniques. Select all
elements in a list by pressing CTRL-A or by selecting Select
All from the Edit menu. Copied element(s) may be pasted
into any other profile and must be pasted into the same
object type.
91
Administrator's Guide
Moving Configuration Elements
Elements within the configuration list are processed in the order
they appear in the list. To change the order of any elements in the
list,
Select the element to move by clicking on it. Holding the left mouse
button down, drag the element to the location it will be moved to
and drop it by releasing the left mouse button.
or
Placement of a configuration element can also be changed by
or
on the toolbar. This will move an element up one or
clicking
down one in the configuration list.
Configuring Elements
Most often, the settings for an object consists of a Settings tab,
Validation Logic tab and Description tab. Click on each link below to
learn more.
Settings tab
The Settings tab contains the configurations options for the object.
Some objects may contain other tabs which contain additional object
settings.
Validation Logic tab
The Validation Logic tab contains the Validation settings for a
configuration element.
The Validation Logic Rules list is not required to contain any rules. If
no rules are specified, the element is automatically validated on the
client based on the specified Class, Operating System, Connection
Type and Timing.
Description tab
Enter text on the Description tab to be used as an explanation for
the configuration entry. The description defaults to the Default
Description defined in Preferences on the Edit tab.
92
The User Interface
SCRIPTLOGIC TODAY
ScriptLogic Today provides product evaluation and registration
information as well as links to the ScriptLogic web site. Within the
ScriptLogic Today object links are provided to specific pages on the
ScriptLogic web site, Home, Support, Knowledge base Articles, Custom
Scripting, and the API Library.
These areas of the ScriptLogic web site provide access to technical
information and help about ScriptLogic's products.
Home
The ScriptLogic web site's home page.
Support
The ScriptLogic web site's technical support page.
Knowledge base Articles
The ScriptLogic Knowledge base provides articles regarding common
questions and issues. Search by article number, product or keywords
to find information to help diagnose and solve product questions.
Custom Scripting
Although Desktop Authority provides virtually all core requirements
right out of the box, it may be necessary to add additional functionality
using custom scripts. Custom Scripts are written using the KiXtart
scripting language. The Custom Scripting library provides many readyto-use scripts that have been contributed by customers, certified
partners and the ScriptLogic technical support team. Take a look
through the library to see if a script has already been written to solve
your needs.
API Library
An extensive API library is available for use in Desktop Authority. The
API library includes an array of functions and variables that are ready
to use with our solutions. Use API variables and functions in Custom
Scripts, Global Definitions, Profile Definitions and within virtually every
profile object.
93
Administrator's Guide
SYSTEM DASHBOARD
The System Dashboard provides product information including version
and registration information. The Dashboard also provides links to the
ScriptLogic web site.
Product Name
The name of the installed product.
94
The User Interface
Version
The version of the installed product.
Evaluation/Maintenance
If evaluating the product, this is the date the evaluation version will
expire. The evaluation is valid for 30 days from the installation date.
If the product, along with maintenance has been purchased, this is
the date the current maintenance will expire.
Operations Master
The Operations Master designates where Desktop Authority is
installed to.
Registered To
The name of the company the product is registered to.
Licensed Seats
Displays the number of seats purchased.
Registered Users
The number of users the product is registered for. In evaluation
mode, this will display the number of days remaining in the
evaluation period.
Seats Used
Displays the number of seats used.
Anti-Spyware (not available for licensing with Desktop
Authority Express)
The license period is shown. If evaluating Desktop Authority or the
Anti-Spyware component, this will be set to Evaluation. When
running a licensed Desktop Authority Express, this will be set to Not
Licensed.
Patch Management (not available for licensing with Desktop
Authority Express)
The license period is shown. If evaluating Desktop Authority or the
Patch Management component, this will be set to Evaluation. When
running a licensed Desktop Authority Express, this will be set to Not
Licensed.
USB/Port Security (not available for licensing with Desktop
Authority Express)
The license period is shown. If evaluating Desktop Authority or the
USB/Port Security component, this will be set to Evaluation. When
running a licensed Desktop Authority Express, this will be set to Not
Licensed.
95
Administrator's Guide
Role Based Administration
WHAT IS ROLE BASED ADMINISTRATION?
Role Based Administration (RBA) restricts Administrator access to profiles and
the configuration elements contained within them. Access to profiles is limited
to users that have been granted specific permissions to them.
A Role is a container that defines the Permissions that are granted to any
Member of that Role. A Role may be Global or Local. Global Roles are defined
by the Super User and can be applied on any Profile in the system. Local
Roles are defined per Profile and can be used to grant Permissions on a
specific Profile and, optionally, its child Profiles. A Member is any user or
group assigned to a Role. Members are assigned to Roles, Global and Local,
at the Profile level. Even when a user or group is assigned to a Global Role,
the membership applies at that Profile only. Resources are Profiles and
Configuration Elements to which Permissions can be granted via Membership
in a Role.
96
The User Interface
Permissions define the actions a member has to a specific resource. They
are setup as part of the role creation process. Parent profiles define the base
permissions and all child profiles inherit these permissions. Allowing for
greater granularity, a child's inherited permissions may be altered at the child
profile level.
The illustrations above depict four default roles (created during installation of
Desktop Authority) within the ACME Corporation. The default roles are Branch
Admin, Profile Admin, Security Admin, Read-Only Admin and Patch Admin. Of
course, this is just one small example. There are an endless number of ways
RBA can be configured to suit an enterprise's administrative hierarchy,
workflow, and segmentation of functional responsibilities.
Branch Admin
The ACME.Domain.Admins group is configured as a member of the Branch
Admin role. This group is given permission to the ACME parent profile. The
ACME.Domain.Admins group is also defined as a Super User/Group. This
means the group will have unlimited access to all profiles and configuration
elements, as well as global options, within the system. It is important to note
that since this group is assigned permissions to the Branch Admin role at the
parent profile level; these permissions are inherited on all child profiles within
ACME Corporation. ACME.Domain.Admins also has unrestricted system access
due to their Super User/Group status.
97
Administrator's Guide
Profile Admin
The Profile Admin role is configured to have View, Change, Add/Delete
permissions to all objects within a single branch of the profile tree. Child
profiles are not included in the Profile Admin's permissions. The
CHI.Site.Admins group is members of the Profile Admin role within the
Chicago child profile only. The NYC.Site.Admins group is members of the
Profile Admin role within the NYC child profile only. Note that user Ajones is
assigned to the Profile Admin role within the CANADA profile.
Security Admin
The Security Admin role is assigned View, Change, Add/Delete permissions to
several configuration objects within a profile. For instance, let’s say the
Security Admin is responsible for pushing out newly released patches and is
also responsible for maintaining current virus definition files as well as
keeping an eye on various spyware attacks. The Security Admin role will be
given permissions to the Patch Deployment, Registry, Application Launcher,
Anti-Spyware and Service Pack Deployment objects. They will be given Deny
access to all other configuration objects. Note in the illustrations above that
the USA.Security.Admin group is assigned membership at the USA profile
level. These permissions are inherited down to both the Chicago and NYC
child profiles. The CAN.Security.Admin group is assigned membership to the
Canada profile.
Read-Only Admin
The Read-Only Admin role is assigned View permissions only to all
configuration objects within a profile. The Read-Only Admin role can be used
for Users or Groups that will not have any ability to change elements within
objects of a profile. In the illustration above, The NYC and CHI Helpdesk
technicians are given the read-only permissions of the Read-Only Admin role.
This way they can troubleshoot user issues and have an approved
Administrator make the necessary changes to their profile. Note that the
Canada profile does not have any User or Group assigned under the ReadOnly Admin role. In this case, either the Branch Admin or Profile Admin has
the necessary permissions to accomplish the same goal.
98
The User Interface
Patch Admin
The Patch Admin role will be used for Users/Group who is responsible for
testing and deploying new patches. In the ACME illustration above, the
ACME.Domain.Admins are assigned to this role. Any Domain Admin in the
domain can apply patches via Desktop Authority to any profile available in the
domain.
Note: Permissions are cumulative at a given profile. This means then
permissions of all roles which a user/group is a member are summed
to define that user/groups total permissions on that profile, including
permissions inherited from above. A user/group can be denied
permission on a resource, irrespective of their cumulative inherited
permissions, by assigning them to a role that grants Deny on that
resource.
In some enterprises, the use of Role Based Administration may not be
necessary. In this case, each user and/or group that will use Desktop
Authority can just be added to the Super User/Group role.
99
Administrator's Guide
CONFIGURING SUPER USERS/GROUPS ACCOUNTS
What is a Super User/Group?
Super User/Group is an attribute of a user or group that provides
specialized system access. The Super User/Group attribute is designed
for privileged users who will have unrestricted access to the system.
Regardless of the roles the user/group belongs to, they will be able to
view and update all objects in the system.
A default Super User/Group is added during the installation of Desktop
Authority. Others may be added to the Super User/Group list by a
Super User/Group.
To access the Super Users/Groups dialog, select Edit Super
Users/Groups... from the Role Based Administration menu.
Besides having full access to all profiles and objects, Super
Users/Groups have other special system permissions.
Super Users/Groups can:
•
create and manage Global Roles
•
modify the Super Users/Groups list and attributes
•
access all Global Options objects
•
create, generate and schedule reports for delivery to other
users/groups
100
The User Interface
Creating a Super User/Group
To add a new user/group to the user list, click Add and select a
user/group from the popup Resource Browser dialog.
Select a user/group from the list and click Delete to remove it.
To apply the Super User/Group attribute to a user account or group,
access the Super User/Group dialog by selecting Edit Super
Users/Groups... from the Role Based Administration menu. If the
user/group that will be crowned Super User/Group exists in the list,
simply select the Is a Super User/Group box for them. If the user or
group is not yet in the Users/Groups list, add them. After adding the
user, select the Is a Super User box for the user.
To remove the Super User/Group attribute from a user, simply clear
the Is a Super User/Group box.
Click OK to save the changes made to the Super User/Group accounts.
Click Cancel to exit the Super User/Group dialog without saving
changes.
101
Administrator's Guide
CONFIGURING ROLES
What is a Role?
A role is a container that defines the actions that are permissible by
members of the role.
Most often, roles are established to represent a common job function
that is performed by one or more users (members). A role defines the
functions that a member of the role will be able to perform. For
example, as shown in the following table, there may be a Super
User/Group who is responsible for defining profiles and maintaining the
system for all sites (Domain Administrator), one or more users may be
in charge of client configurations within their own site (Site
Administrator), another group of users may be responsible for basic
configurations and troubleshooting in their own site (Help desk), and
so on.
Sample Role
Tasks
Required rights
Branch Admin
Oversee and
configure profiles
and clients,
SuperUser, All
permissions
Profile Admin
Oversee and
configure clients
that belong to
their own site.
Add, Change,
Delete
permissions to
all objects
within site's
profiles. Does
not include
child profiles
Security Admin
Responsible for
keeping systems
up to date and
free of spyware,
secure desktops
and run
applications.
Add, Change,
Delete
permissions to
Anti-spyware,
Firewall,
Security Policy,
Group Policy
Templates,
Registry,
Application
Launcher, and
other objects.
102
The User Interface
Read-Only
Admin
Responsible for
general help
desk
troubleshooting
issues.
View only
permission to
all objects with
a profile. Child
profiles are not
included.
Patch Admin
Responsible for
testing and
deploying
patches.
Add, Change,
Delete
permissions to
Patch
Deployment
object.
Roles configure actions for all profile objects including the profile itself.
The configurable actions of a role consist of View, Change, Add/Delete,
and Deny permissions for each of the objects. The first step in
configuring Role Based Administration is to create the roles that will be
used to permit or deny access.
The above Roles are examples administrative roles that could be used.
Role Based Administration allows the creation of as many custom roles
as is needed.
Global Role
A global role is a defined role that is available to all profiles.
Local Role
A local role is defined at the profile level and is available only to the
profile to which it is defined in.
By default, a new installation of Desktop Authority will create a Global
Role named Profile Admin. The Profile Admin role by default has full
access to Add, Change and Delete elements in all Profile objects as
well as the ability to add, change and delete profiles. The permissions
assigned to the profile admin may be modified within the Global Roles
dialog.
103
Administrator's Guide
Configuring Global Roles
Global Roles are created from the Manager's Role Based Administration
menu selection. Select the Edit Global Roles menu item.
To create a new Role, click Add. Enter the name for the new role and
click OK. Click Rename to change a role's name. Click Delete to
remove an existing role. Once the new role is created, permissions
must be assigned to it. View, Change, Add/Delete and Deny
permissions can be configured for each profile object as well as profile
configuration.
104
The User Interface
Global roles may also be created from within a profile. On the
Permissions tab, click Add/Edit Global Roles. Only Super
Users/Groups can create Global Roles.
105
Administrator's Guide
Configuring Local Roles
Local Roles are created from within a profile. Once the Profile is
selected in the Navigation Pane, select the Permissions tab.
To create a new Local Role, click Add/Edit Local Roles.
106
The User Interface
Click Add on the Local Roles dialog. Enter the name for the new role
and click OK. To create a new Role, click Add. Enter the name for the
new role and click OK. Click Rename to change a role's name. Click
Delete to remove an existing role. Once the new role is created,
permissions must be assigned to it. View, Change, Add/Delete and
Deny permissions can be configured for each profile object as well as
profile configuration.
Object Permissions
View
View permissions allow the object to be viewed only. No changes
can be made to existing elements, nor can any elements be added
or removed.
Change
Change permissions allow existing elements within the object to be
updated only. Elements cannot be added or removed.
Add/Delete
Elements can be added to or removed from profile objects. Child
profiles can be added or removed.
Deny
No access is permitted to the object selected in the permissions list.
The object will not be visible in the navigation pane for any member
that is a part of the role.
Deny access overrules all other permissions on an object.
107
Administrator's Guide
CONFIGURING PROFILE PERMISSIONS
The profile's Permissions tab is used to assign a user (member) to a
role. Permissions are applied on a per profile basis. All child profiles
inherit their parent's permissions. See the inheritance topic below for
more information on how permissions are inherited.
To assign user permissions to a profile, first select the Profile. Next,
select the Permissions tab on the View pane.
Add/Edit Local Roles
A local role is defined at the profile level and is available only to the
profile in which it is defined. Click Add/Edit Local Roles to create or
edit a role. The Local Roles dialog will open. For more information on
Local Role configuration see the Configuring Roles topic.
Add/Edit Global Roles
A global role is a defined role that is available to all profiles. To create
a global Role, click Add/Edit Global Roles. The Global Roles dialog
will open. For more information on Global Role configuration see the
Configuring Roles topic.
108
The User Interface
Add/Delete members to/from roles
To add a member to a role, select the role from the Roles list. Click
Add Member.... Select a user or group from the resource browser and
click OK. To remove a member from a role, select the Role and
Member and then click Delete Member.
Permission Inheritance
Profile permissions for all roles are inherited downward to all children
profiles. Permissions do not inherit up the profile tree.
In the above illustration, Grandchild A and Grandchild B automatically
inherit the permissions assigned to Child A. However, Grandchild C
does not inherit any permissions from Child A. Grandchild C has the
ability to inherit permissions from Child B which can inherit from the
ACME Parent profile.
109
Administrator's Guide
Permissions automatically are inherited by children profiles except in
the case where the child profile explicitly denies the inheritance. In the
above illustration, the role granted permission in profile Child B was
explicitly given Deny permission in profile Grandchild C.
When creating a local role, the member cannot assign permissions to
any object other than what they have access to. The permission level
cannot be greater than the permissions that they have. For example, if
a member of a role has View and Change permission to the printers
object, they cannot assign another user Add/Delete permissions to the
printer object.
110
Global Configuration
GLOBAL OPTIONS
The Global Options object provides the ability to define several
settings which affect how Desktop Authority initiates for each client.
These settings apply to all users and profiles and include several
objects. These objects include Assign (Logon) Script, Patch
Distribution, global dynamic variable definitions, visual settings,
Desktop Authority exceptions, desktop agent settings, troubleshooting
options, and Server Manager.
Global Options objects are available only to Super Users/Groups with
the exception of Assign Script. The Assign Script object is limited to
Domain Admins.
Definitions
The Definitions object is used to define custom dynamic variables.
These variables may be used within any profile as well as in any
custom script.
Visual
The Visual object is used to set the default graphical startup mode
of Desktop Authority as it executes on the client during the logon
process.
Exceptions
The Exceptions object is used to disable the ability to run Desktop
Authority or allow an alternate logon script to run on any of the
specified computers.
Desktop Agent
The Desktop Agent will launch specified programs as the client logs off or
shuts down the computer. This object provides several default options for
the Agent.
Troubleshooting
The Troubleshooting object is used to define several settings that
can help to troubleshoot problem clients. The most common setting
on this object is the setting to create a detailed trace file for one or
more specified users and/or computers.
111
Administrator's Guide
CLIENT DEPLOYMENT - ASSIGN SCRIPT
The Assign Script dialog box provides the ability to assign a logon
script to domain user accounts. In addition to assigning a logon script
to domain users, this tool can also be used to query which users in
your domain currently have a specific logon script assigned to them.
Any user who is a Domain Admin has the ability to update the
assign/unassign logon scripts for users.
Select Domain
Select the domain that will be used to search for users and assign
logon scripts to them.
Active Directory OU and Groups Tree
The Active Directory OU and Groups Tree displays the Active Directory
OUs and Groups in which users can be searched.
112
Configuration
Filter Options
Username
Enter search criteria that will find matching Active Directory users.
Searching with a specific OU highlighted in the tree will search only
that specific OU. Search criteria can be entered in the following
forms.
Enter an * wildcard to list all Active Directory users.
Ex. [*
]
Enter one or more characters with a trailing * to find all users
whose username begins with the specified characters.
Ex. [br*
]
Leave the Username entry blank to get a list of all Active Directory
users.
Ex. [
]
Assign Script
Assign Script
Click Assign Script or right-click and select Assign Script from the
shortcut menu to assign a logon script to all selected users in the
list. Once the menu selection is chosen you will be prompted to
name the script to assign to the user.
Unassign Script
Click Unassign Script or right-click and select Unassign Script
from the shortcut menu to unassign a logon script from all selected
users in the list. Once the menu selection is chosen you will be
prompted to confirm your selection.
User List
The User list displays all users that have an established network
account. Shown in this list are the User Id, Name, associated logon
script (if any) and the given Description of each user.
Select a user by highlighting the user account in the list. To select
multiple consecutive users from the list, click on the first one. While
holding down the SHIFT key, select the last consecutive user. Multiple
non-consecutive users may be selected from the list by pressing the
CTRL key while selecting each individual user.
113
Administrator's Guide
CLIENT DEPLOYMENT - GPO DEPLOYMENT*
The GPO Deployment dialog box is used to deploy client services to
Vista and Windows Server 2008 clients when User Account Control
(UAC) is enabled. It deploys 2 Group Policy objects. One GPO will
deploy an MSI which is used to install client services on the client. The
client services are used to perform administrative actions.
The Desktop Authority Manager will deploy the GPO extensions to the
selected OUs. Each time a Microsoft Vista or Microsoft 2008 Server
client logs on to the network, the GPO extensions will determine if it is
necessary to deploy the client side extensions. The client side
extension and the MSI GPO work together to install/uninstall the client
services.
114
Configuration
GPO Deployments (Vista Clients and Windows Server 2008
Clients Only)
The GPO Deployments list contains a list of OUs that the GPO
Extension will be installed to or removed from. Click on a column
header to sort the list either ascending or descending by the
selected column.
Organizational Unit
The Organizational Unit to which the extension will be installed to
or removed from.
Domain
The Domain to which the OU belongs to.
MSI Install Mode
Install Mode defines the action to take place in the OU. Available
actions are Install and Uninstall.
CSE GPO State
This column will show the current state of the client side extension.
Possible status values include Installed, Uninstalled, Installed (Not
Linked), Installed (AD Only), Install Broken, Uninstall Failed and
Unknown.
MSI GPO State
This column will show the current state of the MSI GPO extension.
Possible status values include Installed, Uninstalled, Installed (Not
Linked), Installed (AD Only), Install Broken, Uninstall Failed and
Unknown.
Path
The Path defines the actual location of the Group Policy Object for
the OU.
Refresh GPO States from AD
Click to force a reconciliation of items in the GPO Deployments list
against Active Directory.
Change MSI Install Mode
Click Change MSI Install Mode to instruct the client-side
extension to Install or Uninstall the GPO Extension on the client in
the selected OU. Alternatively right-click in the GPO Deployments
list to set the install mode.
115
Administrator's Guide
Redeploy GPO to AD
Click to force a reinstallation of the GPO extension to the specified
OU. This is useful when one or both of the CSE/MSI GPO states are
something other than Installed. When the CSE/MSI GPO deployment
states both are in an installed state they will be ignored.
Alternatively, right-click in the GPO Deployments list to reinstall an
OU.
Add GPO
Click Add GPO to select an OU to deploy the GPO Extension to. The
selected OU will be added to the GPO Deployments list.
Alternatively, right-click in the GPO Deployments list to add an OU.
The first time the Select OU dialog is used, the Organizational Units
are enumerated. Since this may take a little bit of time, this
enumeration will only take place the first time. If the OU structure is
modified, the dialog will need to be forced to reevaluate the new OU
structure. Refresh this dialog by right-clicking inside the dialog and
select the Refresh OU Data for domain or press F5.
Remove GPO
Click Remove GPO to delete the selected OU entries from the GPO
Extension rollout list. Alternatively, right-click in the GPO
Deployments list to remove an OU.
116
Configuration
PATCH DISTRIBUTION*
The Patch Distribution object is used to help in researching and/or
downloading patches for Microsoft applications as well as Adobe
Acrobat, Adobe Acrobat Reader and Firefox. The object's dialog is
divided in half, displaying filter criteria on the top and a list of filtered
patches on the bottom. The patch list can be filtered on severity and
product to help find the patches needed. The Patch Distribution object
can only be modified by a Super User/Group.
The Update Service must be installed and configured in order for
Desktop Authority to retrieve the latest patch listings and files. If it is
not configured at the time the Patch Distribution object is selected in
the Navigation Pane, a message will be displayed with an opportunity
to install and configure the service.
117
Administrator's Guide
Once configured, the download servers will query scriptlogic.com to
determine the product mode and download updated patch file listings,
when available. For more information on the Update Service, see What
is the Update Service?
Note: If the server does not have Internet access, the Desktop
Authority Updates and Patch Download Service (DAUPDS) can
be used to provide the Enterprise the ability to download
patches and updates for Desktop Authority Servers that may
not or can not have Internet access. This tool will download the
updates and patches which can be imported into Desktop
Authority for consumption by the Update Service. For more
information on this tool, go to the Desktop Authority support
page on the ScriptLogic website.
Filter
Use the Filter tool to minimize the available patch list based on
severity and/or product. Select the Severity Filters check box to
automatically select each severity listed below it or select individual
severities below the Severity Filters check box. Clear the Severity
Filters check box to clear all selected severities.
Select the Product Filters check box to automatically select all products
listed below it or select individual products below the Product Filters
check box. Clear the Product Filters check box to clear all selected
products.
Distribution Server
Select a server from the list and click Connect to select a new
Distribution server.
Current Server
The Current Server designates the server that is Update Service is
currently connected to. This is the server that patch files will be
downloaded to if Download File is selected from the shortcut menu
in the Patch List.
Database Version
The Database Version specifies the date and time stamp of the
Patch File which contains the list of patches available for download.
Search/Cancel
Click Search to filter the patch list based on the selected Severity
and Product filters. A count of selected patches will be displayed
following the search.
Once clicked, the Search button will turn into a Cancel button. Click
Cancel to abort the current search.
118
Configuration
Patch List
The Patch list displays all filtered patches. Information regarding each
patch includes the date the patch was posted, Bulletin ID, Superceded
By patches, Patch number, Severity, patch status, the product(s) the
patch pertains to, patch title, and patch description. The patch list is
sortable by any one of the columns available in the list. Sort the list by
clicking on a column header.
Select a patch for download by highlighting it in the patch list. To
select multiple consecutive patches from the list, click on the first one.
While holding down the SHIFT key, select the last consecutive patch.
Multiple non-consecutive patches may be selected from the list by
pressing the CTRL key while selecting each individual patch.
The status column within the patch list describes whether the
patch file has been downloaded or not. Periodically there will
be a status for some patch files that says Not available for
automatic download. This status may occur for various reasons.
It may be a patch that is no longer supported or available for
download or does not have a silent install. Silent installs are
necessary for Patch Management.
Right-click on a patch in the patch list for further options.
Download Patches
Select Download Patches from the shortcut menu to start the
download process. The selected patch(s) will be downloaded from
Microsoft to the selected destination for each server running the
Update Service. The Update Service is configured in Server
Manager.
On a network with a single download server and multiple distribution
servers, the downloaded patches are not automatically distributed to
the distribution servers. For details on how patch files are
distributed throughout the network, see the Best Practices using the
Update Service topic.
Refresh
Select Refresh from the shortcut menu to refresh the filtered patch
list.
More Info...
Select More Info... from the shortcut menu to read more detailed
information about the patch. This will open Microsoft's Tech Net
Bulletin for the selected patch. When multiple patches are selected,
this option is not available.
*This feature is not a standard part of Desktop Authority Express. To
obtain this feature, Desktop Authority Express must be upgraded to
the full version of Desktop Authority.
119
Administrator's Guide
SOFTWARE DISTRIBUTION*
MSI packages contain all necessary files an application needs in order
for it to be installed using Microsoft's Windows Installer. Windows
Installer can install and/or uninstall MSI packages for any application
regardless of the install package used by the manufacturer.
Administrators can customize an MSI package by creating a transform
(.MST) file. The transform can provide answers to Windows Installer
when the MSI file calls for user input, such as choosing which options
to install or the correct installation path. It can also remove unwanted
features from the basic installation. MSP files are Microsoft Windows
patch files that are updates to applications that have been previously
installed with Windows Installer.
The Desktop Authority Software Distribution object is used to manage
a repository of Microsoft Windows Installer (MSI,MST,MSP) packages.
Desktop Authority provides access to Desktop Authority MSI Studio.
MSI Studio is a complete application software packaging solution used
to create new Windows Installer files and modify existing ones.
The Software Distribution object provides the ability to:
•
import packages into its repository.
•
export packages from its repository.
•
create and modify packages using Desktop Authority MSI
Studio.
•
delete packages from the repository.
•
publish packages for deployment using the Desktop Authority
MSI Packages object.
•
unpublish packages, i.e., remove them from use by the MSI
Packages object.
•
determine the differences between published and unpublished
packages.
120
Configuration
Desktop Authority accesses Windows Installer packages, providing the
ability to Import, Export, Modify (by calling MSI Studio), Delete and
Publish these packages.
121
Administrator's Guide
Import
Click Import to copy a Windows Installer package into the Desktop
Authority repository. The Installer file must be an existing MSI, MST
or MSP package.
New
Click Edit to call Desktop Authority MSI Studio to package a new
solution. This option is only available if MSI Studio is a licensed
product.
Refresh
Click Refresh to freshen the Software Packages list.
Software Packages
The Software Packages list defines all Windows Installer packages
that are available for deployment. This includes MSI, MST and MSP
files. Packages must be imported into the Desktop Authority
repository to show in this list. The following information is available
about each package in the list: Product Name, File Name, Published
Status, Published Date, Manufacturer, Type, Version, Product Code,
and File Size.
Publish
Click Publish to move the selected Windows Installer packages to
the Update Service's distribution servers. Distribution servers are a
defined part of the Update Service and are configured within Server
Manager.
For configuration information on the Update Service, see What is the
Update Service?
Unpublish
Click Unpublish to remove Windows Installer packages from all
distribution servers.
Edit
Click Edit to call MSI Studio to modify an existing solution. This
option is only available if MSI Studio is a licensed product.
Delete
Click Delete to remove a Windows Installer package from the
Desktop Authority repository.
Export
Click Export to copy a Windows Installer package from the Desktop
Authority repository to another defined location.
122
Configuration
Show Differences
Click Show Differences between the published and unpublished
versions of the selected package, if any differences exist.
Differences will be displayed within MSI Studio.
This function is only available if the MSI is published and there are
determined to be differences between the published and
unpublished version of the package. If it is determined that there
are no differences between the published and unpublished version of
the package, this button will be disabled.
*This feature is not a standard part of Desktop Authority Express. To
obtain this feature, Desktop Authority Express must be upgraded to
the full version of Desktop Authority.
123
Administrator's Guide
GLOBAL DEFINITIONS
The Global Definitions object is used to define custom dynamic
variables. These variables may be used within any profile as well as in
any custom script. Global Definitions can only be modified by a Super
User/Group.
Click Edit to add entries to the definitions file. The definitions file will
be opened for editing in Windows Notepad. Be sure to save all changes
to the file before closing it. All definitions in the file must contain valid
KiXtart script code.
124
Configuration
GLOBAL VISUAL
The Visual object is used to set the default graphical startup mode of
Desktop Authority as it executes on the client during the logon
process. One of three display types can be selected. Also on the Visual
tab is a logoff visual option. The Visual object can only be modified by
a Super User/Group.
125
Administrator's Guide
During the Logon sequence
Display default graphic
Select this option to enable the default splash screen. This is a
window that displays the logo along with a progress bar indicating
the progress of the logon.
Displaying the default graphic during the logon process is the default
option.
Display custom graphic
Select this option to enable a custom graphic splash screen as the
client logon request is processed.
This option requires clients to have Internet Explorer 4.0 or
above. However, if Internet Explorer 4.0 has the Desktop
Component Update (i.e. Active Desktop), only a progress bar
will be displayed (no custom logo).
Logo filename
Click Import or type an image name into the Logo filename entry,
to specify a custom image that will display during the logon
process. The following graphic formats are supported: bmp, rle, gif
and jpg. Once an image is selected, it will be copied to the
SLSCRIPTS$ share. Click View to preview the image that will be
displayed.
Specifying $weekday.ext in the entry (where ext is the graphic file
extension), will display the image associated to the current day of
week. For example, if $weekeday.bmp is entered in the Logo
filename entry, on Monday, Monday.bmp will be displayed. On
Tuesday, Tuesday.bmp will be displayed, and so on for the rest of
the days of the week. If no associated weekday image is found, the
default Desktop Authority image will be used. $Weekday is the only
variable that may be used in this field.
Progress dialog location
Select the location of the progress bar dialog box from the list.
Valid choices are Lower Right, Lower Left, Upper Right, Upper Left
and Center.
Allow any client to override this setting and always display
the text screen
Select this check box to override the selected option and allow a
client to use the text logon screen for troubleshooting purposes.
On each specific client that will use a text logon screen, create a
file called SLNOGUI. (no file extension). The presence of this file
notifies Desktop Authority to display a text logon screen during the
logon process.
126
Configuration
Display only the progress dialog when logging on from a
Terminal Server session
Select this check box to display a small progress dialog for Desktop
Authority execution on Terminal Server sessions. This minimizes
the amount of data to be sent from the Terminal Server to the
client.
Display only the progress dialog when logging on over a dialup connection
Select this check box to display a small progress dialog for Desktop
Authority execution on clients that connect to the network via a
dial-up connection. This minimizes the amount of data to be
passed over the line and will speed up the logon process.
Display the informational text screen
Select this option to enable a text splash screen as the client logon
request is processed.
This display is a great tool for troubleshooting. It provides
information regarding the user, the computer and functions that are
being processed as the logon script runs.
End of script completion message
Enter static text to be used as a message in the text splash screen
when the logon process is complete. Dynamic variables may be
used in conjunction with any text entered. Desktop Authority’s
dynamic variable selection is available for this field by pressing the
F2 key.
Display no graphic or splash screen
Select this option to disable all splash screens that would normally
be displayed during the client logon process.
During the Logoff Sequence
Display progress graphic
Select this box to display a progress bar on the client during the
logoff process. Clear this box to display no information on the client
during the logoff process.
127
Administrator's Guide
GLOBAL EXCEPTIONS
The Exceptions object is used to disable the ability to run Desktop
Authority or allow an alternate logon script to run on any of the
specified computers. Exceptions can only be modified by a Super
User/Group.
Do not launch Desktop Authority on:
Select the appropriate box for each computer class that should be
excluded from running Desktop Authority. These selections may
include any combination of the following computer classes: Desktop
Computers, Notebook Computers, Tablet Computers,
Terminal Server Clients, Member Servers, Domain
Controllers, Clients connecting over dial-up, Citrix ICA
Published Applications, and Specific Computers.
When excluding Specific computers from the execution of Desktop
Authority, enter the computer names in the entry provided.
Separate multiple computer names using a semicolon (;). Wildcards
may be used with the computer names.
128
Configuration
Launch alternate script (bat/cmd)
When a computer class is excluded from running Desktop Authority,
an alternate batch or cmd file may be launched instead. Running an
alternate batch file is useful if your users require only a few simple
drive mappings and do not need the full configuration capabilities
that Desktop Authority offers. Select the Enable box to designate
the alternate selection. Manually type the name of the alternate file
to locate the file on the network. The file must have an
or click
extension of .BAT or .CMD in order for it to run as a logon script.
to locate the file will automatically copy the file to the
Using
SLSCRIPTS share so that it may be replicated to the NETLOGON
share on each domain controller.
Once a .BAT or .CMD file extension is entered into this field,
is
will allow editing of an existing file or the
enabled. Clicking
creation of a new file if the file name is not found in the SLSCRIPTS
share folder.
Do not perform logoff and shut down actions
Select this box to disable the ability to process all logoff and shut
down actions. No logoff or shut down events will be processed,
regardless of whether they are selected as part of a profile's or
element's validation logic settings.
Note: Selecting this check box will not remove the ability to
select logoff or shut down from the timing validation logic
settings. Only the ability to execute the profile/element at
logoff or shut down will be disabled.
Allow any client to selectively bypass Desktop Authority
execution
Selecting this box allows certain computers to be excluded from
ever executing Desktop Authority regardless of the options selected
in the Desktop Authority Manager. This option requires the use of a
special options file called SLBYPASS. If this file is present on the
client, Desktop Authority will detect its presence and immediately
exit before launching the main script engine and/or applying any
configuration changes to the client.
Note: For information on creating and using option files, see
the Option Files topic.
129
Administrator's Guide
GLOBAL DESKTOP AGENT
The Desktop Agent is an application that launches specified programs
when the client logs off or shuts down the computer. There are several
default options for the Desktop Agent. Desktop Agent options can only
be modified by a Super User/Group.
Do not show desktop agent in system tray
Select this check box to hide the Desktop Agent icon in the system
tray. Although the icon is hidden, the agent will still be active.
Always restart computer, even if shut down is selected
(Desktops Only, excludes Vista and 64 bit platforms)
Select this check box to force the computer to Restart even if a Shut
down was selected. This option comes in handy when installing
service packs or other applications that may need to complete after
the system restarts.
Using this option sets the Agent to automatically launch regardless
of any logoff/shut down events.
Wait seconds before executing the next synchronous
application.
Specify the maximum number of seconds the computer will wait
before running each successive synchronous logoff/shut down
application. The timer default is 900 seconds (15 minutes); zero (0)
will disable this timer. Disabling this timer will cause Desktop
Authority to wait for the natural completion of each individual
application. Each application must complete on its own before the
next synchronous application will begin.
130
Configuration
Wait seconds after executing the last application before ending
the Windows session.
Specify the maximum number of seconds the computer will wait for
all logoff/shut down applications to complete before performing the
logoff or shut down of the computer. For asynchronous applications
this timer starts after the last application is launched.
When synchronous applications are invoked, this timer begins after
the completion of the final synchronous application. The timer
default is 1,800 seconds (30 minutes); zero (0) will disable this
timer. Disabling this timer will cause the Desktop Agent to wait for
the natural completion of all applications
(synchronous/asynchronous).
131
Administrator's Guide
GLOBAL TROUBLESHOOTING
The Troubleshooting object is used to define several settings that
are used to aid with tracing problems with objects/elements that are
being applied on one or more client machines. These Troubleshooting
settings will be in effect for both Logon and Logoff timing events. The
Troubleshooting object can only be modified by a Super User/Group.
The most common setting on this object is the ability to create a
detailed trace file for one or more specified users and/or computers.
Do not hide windows during logon sequence
Select this check box to show all initialization windows during
Desktop Authority startup. This option is useful when
troubleshooting logon problems.
Force KiXtart to refresh its group token-cache during each
logon attempt
Enumerated groups are cached to the local machine. To flush the
local cache and rebuild it on the local machine select this check box.
The cache will refresh during each logon attempt.
132
Configuration
Create a detailed trace file on these specific computers and/or
users:
Select this check box to enable a trace file to be created for specific
computers and/or users.
The sltrace.htm file is a color coded event log of actions taken
during the logon process. Red text within the file indicates that
some action may not have completed properly or may be taking
longer than expected.
Specify a list of computer names and/or user names that a
comprehensive trace file will be created for. This trace file describes
the actions taken during the logon process. It is created in the
client's %temp% folder and is called sltrace.htm.
Names must be delimited by a semicolon (;). The computer/user
name supports the question mark (?) and asterisk (*) wildcards.
Example:
mjones;jsmith;PC221;PC3??;PC4*
Upload a copy of each clients trace file to this network path
Specify a network path to which all client trace files will be copied
to, after each logon.
Click View to view the trace file repository as specified by the entry.
Enable debug mode for these specific computers and/or users:
Select this check box to allow Desktop Authority to run in debug
mode for the specified computers and/or users.
Specify multiple names by delimiting each by a semicolon (;). The
computer/user name supports the question mark (?) and asterisk
(*) wildcards.
To activate the debug session on the client, press any key upon
Desktop Authority initialization. Debug mode runs the logon script,
pausing after each entry is executed on the client machine. Press
[Enter] to continue processing the next script entry. Press the letter
[D] on the keyboard to continue processing the script to the end,
without pausing. Press the letter [Q] on the keyboard to abort the
script.
When the script if finished processing, you are prompted to apply
the contents of the configuration profiles to the debug log. This will
append the debug information generated from the client logon
process to the sltrace.htm file. You are then prompted to view the
sltrace.htm file. This text file may be viewed at any time to further
debug problems that may occur during logon for a client.
133
Administrator's Guide
Server Manager
SERVER MANAGER
The Server Manager object is where the service, plugin and database
configurations are configured. Only a Super User/Group will have
access to Server Manager and its components.
Service Management
Service Management is a multi-threaded component that provides an
interface to manage the ScriptLogic service, the Update Service and
the replication process.
OpsMaster Service
The OpsMaster Service object is used to manage and configure
plugins. Plugins are ScriptLogic provided objects that the Desktop
Authority Manager uses to perform specific operations. There are two
default plugins that are necessary for Desktop Authority to collect data
and report on it.
Database Configuration
The Database Configuration tool provides the ability to perform
maintenance operations on Desktop Authority's back end SQL
databases. The supporter operations include: backup/restore the
database, shrink/increase the allocated database size, and
maintenance operations such as rebuilding indexes and database
consistency checks.
134
Configuration
DATABASE CONFIGURATION
The Database Configuration tool provides the ability to perform
maintenance operations on Desktop Authority's back end SQL
databases. The supported operations include: backup/restore the
database, shrink/increase the allocated database size, and
maintenance operations such as rebuilding indexes and database
consistency checks. The Database Configuration object is available
exclusively to a Super User/Group. Non-Super Users/Groups do not
have the ability to open the Database Configuration object.
The Database Configuration tool is broken up into two sections;
Database Connection and Database Operations. Before any operations
can be performed a connection to the database must be established.
During installation, Desktop Authority creates a single named instance
of the Microsoft SQL Server 2005 Express Edition. The named
databases created within this SQL instance are DACONFIGURATION
and DAREPORTING. The DACONFIGURATION database is where all of
the Desktop Authority configuration data is stored. The DAREPORTING
database is where the reporting data is stored.
135
Administrator's Guide
Database Connection Information
A connection to either database can be made using Windows
Authentication mode or SQL Server Authentication mode.
Windows
Select Windows to connect to SQL using a Microsoft Windows user
account.
SQL/MSDE
Select SQL/MSDE to connect to the database using Mixed Mode
Authentication (Windows Authentication and SQL Server
Authentication).
Login
Enter the SQL login name.
Password
Enter the SQL login password.
Physical Server
Enter the server or instance name containing the database to
to select a database from the list of all namedconnect to. Click
instances found on the network. Click Connect to establish a
connection to the desired server. Click Disconnect to remove the
database connection to the server.
Database
Once the server is connected to, all of the databases on the server
are made available to the database list. Select the desired database
from this list.
136
Configuration
Database Operations
Perform a Backup or Restoration
Perform a backup
Create a complete backup copy of the selected database. This copy
is stored in a separate location that is protected from the potential
problems on the server. If the MSDE/SQL server fails, or the
database is damaged, the backup can be used to restore the
database.
Perform a restore
Perform a restore operation on a previously backed up database.
Backup/Restore File
For a backup operation, specify the backup filename. For a restore
operation, select the file to be restored. Specify a local file path or
a UNC path.
Media Name
Provide informational text to aid in the identification of a backup
set.
Media Description
Provide informational text to aid in the identification of a backup
set.
Backup/Restore Database
Click Backup/Restore Database to start the selected operation.
137
Administrator's Guide
Shrink the Database and/or its Transaction Logs
Shrink both the database and transaction log files
Reduce the size of all files in the database. File(s) are truncated to
reflect freed space.
Shrink the transaction log files only
Reduce the size of the database's transaction log files only. File(s)
are truncated to reflect freed space.
Shrink
Click Shrink to begin the selected shrink operation.
Increase Database Size
Existing Database Size
Displays the current size of the selected database in megabytes.
The size includes data and transaction log files.
Get Current Size
Click Get Current Size to retrieve the database size information.
New Database Size (in MB)
Specify a new database size in megabytes.
Set New Size
Click Set New Size to increase the size of the database.
138
Configuration
Perform Maintenance on the Database
Rebuild database indexes
Rebuilding indexes reorganizes the storage of the index data to
remove fragmentation. This can improve disk performance by
reducing the number of page reads required to obtain the
requested data. Check this box to rebuild the database indexes.
Reset identity columns
Check this box to renumber the identity columns for all tables
within the database.
Perform consistency checks
Check this box to check the consistency of the database and its
indexes. If necessary this operation will rebuild the indexes and
update the index statistics.
Perform Maintenance
Click Perform Maintenance to perform the selected maintenance
operations.
139
Administrator's Guide
OPSMASTER SERVICE
The OpsMaster Service object is used to manage and configure
plugins. Plugins are ScriptLogic provided objects that the Desktop
Authority Manager uses to perform specific operations. There are a few
default plugins that are necessary for Desktop Authority to collect data
and report on it. The OpsMaster Service object is available exclusively
to Super Users/Groups. Non-Super Users/Groups do not have the
ability to open the OpsMaster object.
The OpsMaster Service object list provides the ability to sort the list on
any of the three columns, ascending or descending order. The order of
the columns themselves can also be changed. Simply drag a column to
its new desired location in the list.
Right-clicking on either plugin displays a shortcut menu. The two
options on this menu include Restart Selected Plugin and Reload
Plugins List.
Restart Selected Plugin
Select this option from the shortcut menu to restart the selected
service.
Reload Plugins List
Select this option from the shortcut menu to refresh the plugins list.
140
Configuration
Status legend:
A green marker indicates that the plugin is currently running and
there are no problems.
A yellow marker indicates that there is some problem with the
plugin. The plugin may have either timed out or is not responding
to requests. Select the problem plugin and click Restart or rightclick and select Restart this plugin from the shortcut menu to
attempt to correct the issue with the plugin by reloading it.
A red marker indicates that this plugin is not currently running.
Select the problem plugin and click Restart or right-click and
select Restart this plugin from the shortcut menu to start the
plugin.
ETLProcessor
The ETL processor plugin manages data collection processes. This
plugin is a service that is installed and started when Desktop Authority
is installed. This service should run regardless of whether the Manager
is running or not. It helps to collect data as users login and out of the
network. Many other user operations are also logged.
There are several configuration parameters available for this plugin.
Collection Thread Sleep Time
Specify the amount of time (in minutes) for the data collection and
processing threads wait after they finish. The default sleep time is
set to 60. Allowable values can be between 1 and 36399 minutes.
Profile and RBA Audit Data Backup
Specify the time of day for the configuration data to be processed
and moved to the Reporting database. Once the data resides in the
Reporting database it can be reported on. The default backup time is
set to 1:00AM.
Purge Malformed XML File Imports
Specify the number of days in which malformed collection data files
can be purged. The default value is set to 10 days but may be
changed to any value between 0 and 30 days.
Retention Period for Database Records
Certain configuration data tables grow at a very fast rate. This
necessitates the ability to purge older data from the system. The
default retention period is set to 365 days. This may however be set
to any value between 0 and 7300 (20 years).
141
Administrator's Guide
Synch Reporting Data
In opposition to the automatic Profile and RBA Audit data backup,
click Synch Reporting Data to process reporting data right away.
Save
Click Save to commit all changes to the ETLProcessor plugin
configurations.
Cancel
Click Cancel to go back to the last saved values of all ETLProcessor
plugin configurations.
The ETL data collection process, by default, is enabled.
However, the data collection process can be disabled by using
simple switches within the Manager's Global Definitions object.
Switch (where x = 0 or 1)
Description
$slCollectUserSessionInformation = x
User Activity.
where x = 0 disable, or x=1 enable
$slCollectBasicMachineInformation = x
Computer
Information. where
x = 0 - disable, or
x=1 - enable
$slCollectPatchInformation = x
Patch data. where
x = 0 - disable, or
x=1 - enable
$slCollectAntiSpywareInformation = x
Anti-Spyware data.
where x = 0 disable, or x=1 enable
$slCollectSoftwareInformation = x
Software data
collection. where x
= 0 - disable, or
x=1 - enable
$slCollectHardwareInformation = x
Hardware data
collection. where x
= 0 - disable, or
x=1 - enable
142
Configuration
OpsMasterService
The OpsMasterService manages and supports Desktop Authority's
replication, underlying plug-ins and database connectivity. There are
no configuration options for this plugin.
To change the service credentials for this backbone plugin, select
Change Operations Master Service Credentials... from the Role Based
Administration menu.
ReportScheduler
The ReportScheduler plugin that runs scheduled reports. This plugin
runs every minute checking for reports to run. There are no
configuration options for this plugin.
Restart
Click Restart to restart the selected service.
143
Administrator's Guide
CONFIGURING THE OPSMASTER SERVICE
To change the service credentials for this backbone plugin, select
Change Operations Master Service Credentials... from the Role Based
Administration menu.
This service is a background service that is used to manage and
configure Desktop Authority's plugins. These plugins are used to
perform specific operations such as audit data collection and the
execution of scheduled reports. Enter the User name and Password for
a user account that belongs to the Domain Admins group. The user
name should be entered in the form of Domain\Username. Click
use the Resource Browser to browse the network and select an
appropriate user.
144
to
Configuration
SERVICE MANAGEMENT
The Service Management object is a multi-threaded component that
provides an interface to manage the ScriptLogic service, the replication
process and the Update Service. Service Management is available
exclusively to a Super User/Group. Non-Super Users/Groups do not
have the ability to open the Service Management object.
The Service Management grid details the status of each server utilized
by Desktop Authority, including the status of the ScriptLogic and
Update Services and the replication status of configuration files. Using
this grid, the status of service(s) and replication can be monitored for
all servers at a quick glance. You can start, stop, configure, install and
remove the ScriptLogic and/or the Update Service on one or more
servers from this single location. Replication can also be managed
from this simple grid. One or more servers can be defined as a target
for replication and replicate the configuration files.
Since the topology of each network is different it may be
advantageous to execute Desktop Authority from locations other than
your domain controllers. Server Manager implements a distributed
management technology that allows you to delegate control of server
configurations. One or more servers are assigned the responsibility of
hosting the ScriptLogic and Update services as well as acting as a
replication partner for the published Desktop Authority configuration
files.
To configure servers for Server Manager, click the Discover button on
the toolbar to tell Server Manager to examine the network for existing
domain controllers and add them to the list. Right-click on one or more
existing server(s) in the grid for several server properties.
The Site column denotes the defined site name of the associated
server. By default, workstation requests are directed to servers within
the same site if possible. However, it is possible to configure Server
Manager to select specific sites if necessary. This can be done using
the Configure Site Map option.
145
Administrator's Guide
Selecting the Target box marks the target folder on a server as a
location that will host Desktop Authority’s configuration files when
publishing. Normally the target path for replication is the NETLOGON
share of your domain controllers but this may be changed in the
Server Properties dialog. This is the path that Desktop Authority is
executed from during logon. When you check the target box, Server
Manager verifies that the target path exists; if not the directory will be
automatically created.
Desktop Authority uses replication to provide a method of publishing
Desktop Authority configurations to Windows NT, Windows 2000 and
Windows 2003 domain controllers. Desktop Authority does this with its
own replication process from within the Server Manager. Server
Manager sets the configuration of the replication process on the
Replication Options tab of the Server Manager Options dialog and the
Server Properties menu. Desktop Authority’s replication can be used to
replace Windows Directory Replication services or work in conjunction
with it. Of course, if Desktop Authority is your only logon script, there
is typically no need to add the overhead of Windows' replication
process to your domain controllers. Each time changes are made to
your configuration using the Desktop Authority Manager, you will save
the changes, replicate and then exit. By default, only the changed files
will be replicated.
When you install Desktop Authority, a default distribution system is
created. The Domain Controller that you installed the program to
(otherwise known as the Operations Master) holds the Desktop
Authority Manager program files and acts as the source (or master)
location for your script files.
The Replication Status column in the Server Manager grid is updated
continually and shows when, or if, each server was last replicated to.
The target path is first verified for existence and then queried to
determine the date and time the Desktop Authority files were last
updated.
Server Manager uses intuitive colored LEDs to represent the status of
replication and the ScriptLogic service on each server.
146
Configuration
Replication Status legend:
A green marker indicates that the files in the target folder are in
sync with the files in the Operations Master. All Desktop Authority
configuration files on the server match the date and timestamp of
the configuration files on the source domain controller. The date
and time of the last replication is displayed.
A yellow marker indicates that the files in the target folder are
outdated. Different versions of these files exist on the Operations
Master. Desktop Authority configuration files have been updated
on the source domain controller, however, the changed files may
not have been replicated to this server. The date and time of the
last replication is displayed.
A red marker indicates that this server is a Target but no files are
found in the target folder. Since this server is a Target, replication
should occur for this server. The message "Files not found" is
indicated in this cell.
A gray marker indicates that this server is not a Target and the
configuration files do not exist in the Target folder. The message
"Not a target" is indicated in this cell.
The ScriptLogic Service column shows the current state of the service
on each server.
The Update Service column shows the current state of the Update
Service on each server. The Update service type column designates
how the Update server is configured. The Update server can be
configured as a Distribution or Distribution/Download server. A server
configured as a Distribution server is one that will deliver patch files to
client computers. A Distribution/Download server is one that will
download patch files as well as deliver them to client computers. The
Update service type is defined by the Update Service configuration
option to Allow this server to download patches. If this box is selected
the Update service type is defined as Distribution/Download. A server
type is defined as Distribution if the service is not configured to
download patches.
147
Administrator's Guide
Service Status Codes legend:
The service is started on the server.
The service is out of date. Server Manager will typically prompt
you to update outdated services.
The service is currently stopped on the server.
The service is not installed on the server.
Right-click on one or more cells in either the ScriptLogic or Update
service columns to Start, Stop, Restart, Configure, Install, Remove or
Update the service image. For more information on these options refer
to Service options.
Server Manager Toolbar
Options
Click Options to define replication options and Server Manager
Preferences.
Save
Click Save to save any changes made in the Server Manager list.
Refresh
Click Refresh to update the status of each server in the server
manager grid. Each server is inspected for services as well as the
Desktop Authority configuration file. The grid is updated with the
current status of each.
Add
All domain controllers should be listed in the Server Manager grid. If
there are any missing from the list, click Add to update the list.
Alternatively, right-click on one or more servers in the Server
column and select Add Server from the shortcut menu, click Add
server.
After choosing to add a server, traverse through the tree to locate
to
the server to be added to the Server Manager grid. Click
expand or contract the server list. Highlight the server and click Ok.
Remove
Select one or more servers and click Remove. Alternatively, rightclick on one or more servers in the Server column and select
Remove Server from the shortcut menu. This is useful if a domain
controller is removed from the network.
148
Configuration
Discover
Click Discover to force Server Manager to examine the network for
existing domain controllers. Depending on the number of domain
controllers and their geographic diversity over WAN links, this may
take some time. Click Add to manually add a domain controller that
is not automatically discovered.
Test Sig
Signatures validate the integrity of the definition files (.SLD) and
configuration profiles (.SLP). Click Test Sig is used to verify file
signatures. It will first verify that the Signatures Public Key (stored
in %Program Files%\ScriptLogic Manager\slsrvmgr.ske file) is the
same on each server that has the ScriptLogic Service installed. The
signature is stored in the registry of each server as a hidden value.
It also will calculate the hash value of each definition file (.SLD) and
configuration profile (.SLP), in the server's Netlogon directory, for
every server that has been targeted for replication. It will compare
them against the value stored in the Slsigs.ini file.
149
Administrator's Guide
OPTIONS
The Options dialog box provides several Replication options and
Preferences.
Replication options
Source server
Specify the server that the Desktop Authority configurations are
replicated from. By default, this is where the Manager is installed to.
Source folder
Specify the folder that the Desktop Authority configurations are
replicated from. By default, this is where the Manager is installed to
within the SLSCRIPTS$ share.
NT 4.0 Directory Replication
Publish an additional copy of the configuration files to:
Select this check box if Microsoft replication is being used in
conjunction with Desktop Authority. Enter the additional path where
the Desktop Authority configuration files should be published to.
Click
to locate the additional folder.
Options
Include hidden & system files
Select this check box to include all hidden and system files that exist
in the source folder in the replication copy. Clear this check box to
leave all hidden and system files in the source folder.
Overwrite read-only files
Select this check box to overwrite any files marked as read-only in
the destination folder with a new file from the source folder. Clear
this check box to leave all original read-only files intact.
Update only changed files
Select this check box to replicate only those files that have a
different date than those on the destination domain controller. If
this check box is cleared, all files will be replicated.
150
Configuration
Include subdirectories
Select this check box to include all sub-folders found in the source
folder in the replication copy. Clear this check box to suppress the
copy of sub-folders.
Continue after errors
Select this check box to continue to replicate files even if an error
occurs while copying files. Clear this check box to stop replicating
files if an error occurs.
Preferences
Refresh timer
The Server Manager dialog box is constantly being refreshed in
order to display the most accurate status information. Enter a
number (in seconds) to represent how often Server Manager should
verify and update its statuses.
Background threads
Specify the number of Server Manager threads that can be run
concurrently for refreshing the service status', replication status,
etc. The minimum value that can be specified is 2 and the maximum
is 40. The default value is 10.
Disable the built-in KXRPC service on all servers
Select this check box to disable Desktop Authority's built-in KXRPC
service. Click Ok to accept the updated preferences. Click Cancel to
exit without saving any changes.
Default replication target location
Specify a folder that will hold the replicated files. Normally this
folder is the NETLOGON share.
Configure Site Map
Desktop Authority will attempt to connect to either the ScriptLogic
service on the DA logon server (the server where slogic.bat is
executed from, upon logon) or the Update service. If the requested
service does not respond, or is not installed on that server, Desktop
Authority will use a default site map to locate a server that has an
active and responsive service. The default site map is created based
on the information in the Server Manager list, and groups all servers
to their respective site. The default site map will instruct Desktop
Authority to attempt to connect with the service on one of the other
server(s) that are listed in the same site as the workstation's site.
151
Administrator's Guide
If for some reason, Server Manager does not include any servers
within the workstations defined site, or there is no available service
to connect to in the list of servers on the site, Desktop Authority will
then randomly select a server from the Server Manager list.
The default site map can be customized to utilize the enterprise's
topology. Click Define custom site map to customize the default
site map settings.
152
Configuration
ScriptLogic Service/Update Service tabs
Create site map automatically
Select this option to use the site map that is created by default by
Desktop Authority. This option will try to locate a responsive
service on the DA login server first, look to the default site map
and check other servers on the same site as the workstation. As a
last resort, Desktop Authority will randomly select a server from
the Server Manager list.
Define custom site map
Select this option to define a custom site map for specific to the
enterprise's topology. Selecting this option will enable the Site Map
grid and allow for changes to it. The default site map configuration
will appear in the grid, before any changes are made.
Do not use site map
Select this option to disable the site map functionality of Desktop
Authority. When not using a site map, default or custom, Desktop
Authority will first try to locate a responsive service on the DA login
server. If the service does not respond, then a random server will
be selected from the Server Manager list until a responsive service
is found.
153
Administrator's Guide
Configuring a custom site map
Select Define custom site map from the options. This will
present an editable grid, where you can build your custom site
map.
154
Configuration
Add site
Click Add site to add a new site to the site map list. Select a
known site from the drop down list, or click Add entry and
type in a site name.
Select *DEFAULT from the drop down list to create a custom
defined default site list. The custom defined default site list is
one that is used as a catch all for any workstation that does
not have a site defined for it. It is added to the custom site
map with a site name of *DEFAULT.
From this site configuration window, the entries for each site
will be entered. An entry can be either a server or a site.
155
Administrator's Guide
Select Server or Site from the Entry type drop down list.
Click Browse to select a server or site from the servers and
sites that Server Manager knows about or type in the name
of any other server or site that should be used. An asterisk
(*) will be automatically prepended to any site name in order
to distinguish it from a server entry.
Click Delete entry to remove a server/site entry from the
site map entry. Click Move up/Move down to change the
order of the server and/or site entries.
Click OK to save the Site changes. Click Cancel to go back to
the prior window without saving changes.
Edit site
Click Edit site to modify a site that is already on the site
map list.
Delete site
Click Delete site to remove a site from the site map list.
Client execution options
Check login server first (ScriptLogic Service tab only)
This option is selected by default. This instructs Desktop
Authority to check for a responsive ScriptLogic service on the
login server first. The servers on the site of the workstation
with the request will be recursed first.
Site recursion
This option will disregard any sites specified on a server
entry. This will disable the ability to link the sites recursively.
Server caching
The use of server caching will force Desktop Authority to
remember the last server where a responsive ScriptLogic
service was found and to use that one for the next request,
even if the next request is completed during another session.
If this option is not selected, the cache will not be used. This
will cause Desktop Authority to walk through the rules for
finding a responsive service each time a request is made.
Server cache days
Enter the number of days the cache should be reset on. The
default cache days are 5. This means, every 5 days, the
cache will be reset (the servers will be walked through every
5 days). Enter 0 to disable the number cache days, and to
always remember the last responsive server found.
156
Configuration
Randomly failover if site server is not available
Select this box to have Desktop Authority randomly choose a
server from the server manager list if all servers within the
specific site fail to give a response to indicate that it is
accessible.
Example Custom Site Map
Scenario 1
Let’s assume first that Workstation124, in the Tampa site,
makes a request of the ScriptLogic service. Since
Workstation124 ran slogic.bat from server Tampa-MS1, DA
will attempt to connect to the ScriptLogic service on TampaMS1.
157
Administrator's Guide
If the login server is unresponsive or the Check login server
first option is unchecked, the site that the workstation
belongs to will be discovered. The servers within the site will
be checked in order until a responsive server is found. In this
example, this means that the Tampa site will be discovered
from the workstation. The next servers to be checked will be
Tampa-DC1 and Tampa-MS2, respectively.
If all of the servers in the Tampa site fail, the example
custom site map is configured to continue searching on the
Dallas site. This is denoted with the *Dallas entry in the
Tampa site map. However, if the Site recursion option is
unchecked, the *Dallas entry in the site map will be
disregarded.
If all sites and servers defined in the Tampa custom site map
are exhausted, the default setting of the Randomly failover if
site server is not available option (checked), takes over and
servers listed in Server Manager will be randomly chosen
until a responsive server if found. Keep in mind that no
server will be checked more than once per request. If this
option is not checked, a responsive server will not be found
and the service request will fail.
Scenario 2
In this next example, Workstation1 makes a ScriptLogic
service request. Workstation1 has no default site defined.
Since Workstation1 ran slogic.bat from server MS3, DA will
begin with an attempt to connect to the ScriptLogic service
on the MS3 server. If the attempt fails, since there is no
default site definition for the workstation, the servers
specified for *DEFAULT will be used to look for a responsive
service. Remember that the *Default site does not exist
unless it was added to the custom site map by adding as a
site.
If the Check login server first is unchecked, the system will
go right to the servers defined in the *DEFAULT section of
the custom site map.
If the Randomly failover if site server is not available then
the service request will immediately fail as the options do not
allow the request to search for a responsive server.
158
Configuration
SERVER PROPERTIES
Right-click on one or more existing server(s) in the grid for several
server properties.
Add server
Select Add server to add a new server to the Server Manager grid.
Remove Server
Select Remove server to remove the selected server from the Server
Manager grid.
Discover DCs
Select Discover to force Server Manager to examine the network
for existing domain controllers. Depending on the number of domain
controllers and their geographic diversity over WAN links, this may
take some time.
Server Properties
Server Name
This is a display only field. It represents the server that is being
currently being configured.
Replication target
Select this check box to set the server as a replication target. All
files will be published to this server in the replication folder
specified.
Repl. Folder
Specify a folder that will hold the replicated files.
159
Administrator's Guide
SERVICE OPTIONS
Service
Services may be configured by selecting the specific server(s)
and/or service(s) in the Server Manager grid. To select a service,
click on a cell in the service column. To select multiple service cells
from the grid, hold down the CTRL key and click on each individual
cell.
The Server Manager grid also allows column and row selections.
Click the Server or Service column header to select an entire
column. Click
to select a row.
Once the selections are made, select the appropriate menu item or
right-click the selected items to select an action from the shortcut
menu.
Start
The Start Service action is available when at least one stopped
service on one or more servers is selected. On the Service menu,
click Start to start the service(s). Optionally, right-click on the
selected cells in the server manager grid and select Start from the
shortcut menu.
Stop
The Stop Service action is available when at least one started
service on one or more servers is selected. On the Service menu,
click Stop to stop the service(s). Optionally, right-click on the
selected cells in the server manager grid and select Stop from the
shortcut menu.
Restart
Restarting a service will simply stop and then start the selected
service. This is available when a started service on one or more
servers are selected. On the Service menu, click Restart to restart
the service(s). Optionally, right-click on the selected cells in the
server manager grid and select Restart from the shortcut menu.
160
Configuration
Configure
Configure allows the logon accounts and service start type to be
configured. The startup type can be set to Automatic, Disabled, or
Manual. The default startup type is set to Automatic. It is
recommended to use the Automatic startup type unless
troubleshooting service operations.
The Configure Service action is available when a started or stopped
service on one or more servers are selected. On the Service menu,
click Configure to configure the service(s). Optionally, right-click on
the selected cells in the server manager grid and select Configure
from the shortcut menu.
Install
Install performs the installation of the current version of the
selected service. The ScriptLogic service may be installed to multiple
servers at the same time.
Install is available when a selected cell has a service that is Not
Installed. On the Service menu, click Install to install the
service(s). Optionally, right-click on the selected cells in the server
manager grid and select Install from the shortcut menu.
Remove
Remove will remove the selected service from the server on which
it is installed. The ScriptLogic service may be removed from multiple
servers at the same time.
Remove is available when one or more started or stopped services
on one or more servers are selected. On the Service menu, click
Remove to remove the service(s). Optionally, right-click on the
selected cells in the server manager grid and select Remove from
the shortcut menu.
Update image
Update image performs the update of existing and currently
running service(s) that are outdated. One or more services may be
updated at the same time.
Update Image is available when a selected cell has an installed
service that is either started or stopped and is outdated. On the
Service menu, click Update image to update the service(s).
Optionally, right-click on the selected cells in the server manager
grid and select Update image from the shortcut menu.
161
Administrator's Guide
WHAT IS THE SCRIPTLOGIC SERVICE?
Conventional scripts typically execute under the security context of the
user logging on. Unless users are made administrators of their own
NT/2000/XP/2008/Vista machines, the ability to perform
administrative tasks through a centralized logon script will be limited
to each user's rights on their computer.
One of the key advantages offered by Desktop Authority is the ability
to perform tasks that require administrative rights without sacrificing
user-level security at the workstation. By using a specialized service,
Desktop Authority is able to make changes to the registry, install
software, add printers, synchronize time and perform any other tasks
that require elevated rights during the logon, logoff or shut down
sequences.
To install the ScriptLogic service, two unique sets of user credentials
must be supplied. One user account must have local administrative
rights on each workstation. By default, the Domain Admins group is a
member of the local Administrators group on each
NT/2000/XP/2008/Vista workstation, so selecting a user account that
belongs to the Domain Admins group would satisfy this requirement.
This account will be used by the ScriptLogic service on each server to
remotely install the ScriptLogic service on each workstation.
The second user account will be used by the ScriptLogic service on
each workstation to perform the actual tasks that require the elevated
administrative rights. This user account only needs to be a member of
the Domain Users group.
Installing this service to all domain controllers is the preferred action
for this service and provides the best configuration for load balancing.
162
Configuration
CONFIGURING THE SCRIPTLOGIC SERVICE
To configure a started or stopped service in the Server Manager grid,
right-click on a cell in the service column and select Configure Service
from the shortcut menu.
The following Service configuration dialog will appear:
Server Service (Domain Admin)
Log on as
Enter a Domain Admin account that the service will use to log on.
This should be entered in the format of Server\UserAccount.
Optionally, click
to select a user account.
Password
Enter the password associated with the selected log on account.
Confirm Password
Confirm the password for the selected log on account.
163
Administrator's Guide
Client Service (Domain User)
Log on as
Enter the Domain User account that the service will use to log on.
This should be entered in the format of Server\UserAccount.
Optionally, click
to select a user account.
Password
Enter the password associated with the selected user account.
Confirm Password
Confirm the password for the selected user account.
Startup Type
Select from Automatic, Disabled or Manual from the Startup Type
list.
Automatic will start the service immediately after it is installed.
Disable will stop the service if it is running and disable the service
from being run in the future. To use this service at a later time, the
Startup Type must be changed to either Automatic or Manual.
Manual will allow the service to be started at the administrators'
discretion. The service will never be started automatically.
Log files repository
Specify a folder to hold intermediate data collected for reporting.
Data is collected as users’ login and out of the network and includes
user, hardware and software inventories as well as patch data,
spyware data and much more. During specific timed intervals, data
is collected from this folder and parsed into the DAREPORTING
database.
The default path is %programfiles%\ScriptLogic\ETL Cache\.
The folder specified must be a folder on the server for which
the service is being configured for.
164
Configuration
WHAT IS THE UPDATE SERVICE?
The Update Service is used by the USB/Port Security, Software
Management, Patch Management and Anti-Spyware objects This
service interfaces with www.scriptlogic.com and www.microsoft.com in
order to retrieve licensing information as well as download patches,
anti-spyware definition updates and ScriptLogic Patch Management
updates. The Update Service offers an encrypted and secure
connection to the ScriptLogic web site.
If a proxy is used to access the internet, each server designated as a
Update server must be configured to work with the proxy.
165
Administrator's Guide
CONFIGURING THE UPDATE SERVICE
To configure a started or stopped Update Service in the Server
Manager grid, right-click on a cell in the service column and select a
configuration option from the shortcut menu.
When installing or configuring the service the following Update Service
configuration dialog will appear:
Service account (Domain Admin)
Log on as
Enter a Domain Admin account that the service will use to log on.
This should be entered in the format of Server\UserAccount.
Optionally, click
to select a user account.
Password
Enter the password associated with the selected log on account.
Confirm
Confirm the password for the selected log on account.
166
Configuration
LAN Settings...
Click LAN Settings to configure the use of proxy server settings.
LAN Settings can only be configured when the DA Update service is
installed and started. The settings are enforced on the server where
the service is installed to, for the specific service account user.
Startup Type
Select from Automatic, Disabled, or Manual from the Startup Type
list.
Automatic will start the service immediately after it is installed.
Disable will stop the service if it is running and disable the service
from being run in the future. To use this service at a later time, the
Startup Type must be changed to either Automatic or Manual.
Manual will allow the service to be started at the administrators'
discretion. The service will never be started automatically.
Look for updates at (download server)
For servers that are not configured to download updates, specify the
server where the update files will be made available from. Select
Auto from the list to allow the update files to be located
automatically when needed.
Allow this server to download updates
Select this check box to enable the Update Service to download
selected updates to this server. Downloads will be stored in the
specified download directory. Clear the box to prevent the service
downloading updates to this server. This option is only available
when the Updates Service is installed on more than one server.
Download cache directory
Specify the directory to which all updates will be downloaded to.
This directory specification is only available when one Update
Service is installed or on servers which are configured as Download
servers. The default download directory is %Program
Files%\ScriptLogic\Update Service\Cache.
Poll period (hours)
Specify how often the Update Service should look to ScriptLogic for
updates.
Import Updates and Patches from Path
Click Import Updates and Patches from Path to import the
update and patch data downloaded with the Desktop Authority
Update and Patch Download Service (DAUPDS) applet. Once clicked,
specify the location of the downloaded files. Click Import to start
the process.
167
Reporting
REPORTING OVERVIEW*
The Reporting object presents the opportunity to run predefined
reports distributed by ScriptLogic or the ability to create custom
reports. Reports can be run manually at any time or may be scheduled
to run on a specific and/or recurring Date/Time.
Pre-Defined Reports
Select a report category from the Pre-Defined Reports tree. The PreDefined Reports object contains reports created by ScriptLogic. Click
Generate or double-click a report in the report list to execute the
selected report. Click Import to gather new report templates made
available by ScriptLogic.
168
Reference
User-Defined Reports
Select User-defined Reports from the reporting tree. The User-defined
Reports object lists reports available for modification or generation.
Click New to create a new user-defined report or use the Wizard
interface by clicking Wizard. Click Modify or double-click a report in
the report list to open the selected report for changes. Click Generate
to run and view the selected report. Click Delete to remove the
selected report. Click Import to gather a user-defined .sli file into the
user-defined report repository. Click Export to create a user-defined
.sli file based on one or more reports in the user-defined report
repository. User-defined reports can be categorized into separate
folders. Click New Folder to create a new repository folder. Click
Delete Folder to remove a repository folder. Rename an existing
folder by clicking Rename Folder.
Generated (Saved) Reports
Select Generated (Saved) Reports from the reporting tree. Saved
reports are reports that have been run due to a Scheduled Report.
Click View or double-click a report in the report list to display the
selected report. Click Delete to remove the selected report.
Scheduled Reports
Select Scheduled Reports from the reporting tree. The Scheduled
Reports object defines a schedule for a selected report to be run
automatically. Scheduled reports can accept parameters and can be
defined to run one or more times. The schedule can also email the
report to a destination once it is run. Click New to create a new
schedule for a report. Click Modify or double-click a report in the
report list to change the scheduled settings for a report. Click Delete
to delete the selected scheduled report.
Scheduled reports are saved to the User-Defined report
repository.
169
Administrator's Guide
Enable/Disable Report Data Collection
Data is collected by Desktop Authority's OpsMaster service and the
ETLProcessor plugin. By default, data collection is enabled during the
installation of Desktop Authority; however, this may be disabled in
part or as a whole by using one or more predefined dynamic variables.
This can be done within the Global Options > Global Definitions.
Switch (where x = 0 or 1)
Description
$slCollectUserSessionInformation =
User Activity. where x = 0 disable, or x=1 - enable
$slCollectBasicMachineInformation
=x
Computer Information. where
x = 0 - disable, or x=1 enable
$slCollectPatchInformation = x
Patch data. where x = 0 disable, or x=1 - enable
$slCollectAntiSpywareInformation
=x
Anti-Spyware data. where x =
0 - disable, or x=1 - enable
$slCollectSoftwareInformation = x
Software data collection.
where x = 0 - disable, or x=1 enable
$slCollectHardwareInformation = x
Hardware data collection.
where x = 0 - disable, or x=1 enable
x
*This feature is not a standard part of Desktop Authority Express. To
obtain this feature, Desktop Authority Express must be upgraded to
the full version of Desktop Authority.
170
Reference
CREATING A SIMPLE REPORT
The following steps show how to create a simple report. Review the
Tips and Techniques to learn about advanced reporting concepts.
1. Create a New Report
Select the Reporting object in the Navigation pane of the Manager.
From the View pane, click the New button. The Reporting Tool will
open with a blank Report Design Surface. All new reports consist of
a Page Header, Detail, and Page Footer.
2. Create an SQL statement
The next step is to define an SQL statement that will connect the
report to the data. Desktop Authority provides several default SQL
statements to help jump start a report. Select a pre-defined SQL
statement from the Change Data Source drop list or click the SQL
button and enter your own SQL statement.
A data dictionary of all tables available has been provided to aid in
the process of SQL statement creation. This Data Dictionary can be
downloaded from the ScriptLogic web site.
3. Creating Groups
A report can consist of single or multiple nested groups, with each
group having its own header and footer sections. The header
section is inserted and printed immediately before the Detail
section. The footer section is inserted and printed immediately
after the Detail section. Up to 32 nested groups are allowed in a
single report.
To achieve the desired results, the data needs to be ordered by the
field that is to be grouped on. The data must be sorted in the
necessary grouping order using the ORDER BY clause on the SQL
statement.
•
Right-click in the Detail section of the report design surface,
select Insert > Insert Group Header/Footer. This will insert
a new group header/footer section into your report around
the existing detail section.
•
Set the group by field in the Properties window for the
group header. Change the DataField property to the field on
which the data is to be grouped.
•
Change the name of the group header to reflect the data
that is being grouped. For example, "ghMachineName" could
be the name of the group header with the DataField
property of "MachineName".
171
Administrator's Guide
4. Adding data to the report
To add a data field to the report, simply select the field from the
Fields toolbox and drag it onto the report design surface. Drop it
into the proper report section, i.e. Page Header/Footer, Group
Header/Footer, or Detail. Grouped data fields should be placed into
either the Group Header or Footer areas. Most often a grouped
data field is placed into the Group Header, leaving the Footer area
available for sums or counts on the group data.
Another way to add data to the report is to select a control from
the Toolbox. Click on the tool and then click on the area in the
report's design surface where the control will be displayed. Before
letting go, drag the mouse to size the control. Once the mouse
button is released the control will appear.
Once a data field has been added to the report design surface, it
may need to be sized and/or properties may need to be set. When
the data field is placed on the design surface, it will be given a
default name. It is recommended that the (Name) property be
changed to reflect a user friendly and recognizable name. This is
the name the data field will be referenced as throughout the
report. If the control will hold static text, set the Text property to
the actual text value.
There are many other properties that may be set. Refer to the
Properties box reference to read about other properties.
172
Reference
5. Generate the Report
To execute the report while in design mode, click the Generate tab
on the top of the report design surface.
If the report uses runtime parameters, before execution, the user
will be prompted to enter the values for the parameters.
5. Save Report
on the Menubar to complete and save the report. If the
Click
report has not been previously saved in the User Defined report
repository, provide a name for the report when prompted. The
report will be saved to the User Defined report repository. Reports
can not be saved to the Pre-Defined report repository.
173
Administrator's Guide
SCHEDULED REPORTS
Desktop Authority's Report Scheduler dialog displays a list of the
reports scheduled, their scheduled date and time, and the recurrence
of the schedule. Scheduled Reports can recur by either running once,
daily, weekly, monthly, or end of month. The scheduler can
automatically e-mail reports once the report is complete.
Scheduled Report Settings
Report to be scheduled
Select a Report category and then the report from the report list.
Export File Name
Specify the name of the final report output file. The current
date/time will be appended to the end of the file name.
Ex. ThisScheduledReport (5-15-2005 12 45 16).pdf
174
Reference
Export Location
Select Server to generate the scheduled report into the default
reports repository (\ScriptLogic Manager\Repositories). Select
Other Location in order to specify some other location to save the
report to.
Export Type
Select the type of report to create. Reports can be exported to
HTML, Adobe PDF, Word/Rich Text Format, Text, Tiff, Excel and
Active Report RDF.
Report Parameters
If the selected report uses runtime parameters, click View/Input
Parameters to set the default runtime values. The first column in
the list contains the runtime field name and the second column
contains the value of the parameter.
When upgrading Desktop Authority or importing reports from
an updated SLI file, parameters from all scheduled reports
will become null and void. These parameters must be reentered for the scheduled report before the report can be
successfully executed.
Scheduled Date/Time
Select the Date and Time for the report to be run. For recurring
to select a
reports this will be the starting Date and Time. Click
date.
Recurrence
Reports can be scheduled to run one or more times based on a
recurring basis. Select from Once, Daily, Weekly, Monthly or End of
Every Month. Only one recurrence period can be selected per
scheduled report.
Scheduled Report Emailing
Email Distribution List
The Email Distribution List contains all email addresses to which the
report output will be delivered. If the report results in an error, no
report will be sent to this distribution list. Click Add to add an email
address to the list. Click Delete to remove the selected email
address from the list.
Email From
Enter the source of where the email is coming from. Usually this will
be the senders email address.
175
Administrator's Guide
Email Subject
Enter the subject of the email that will be used to distribute the
report.
Email Body
Enter the text to appear in the body of the email that will be used to
distribute the report.
Error Notification
Error Notification Email Distribution List
If an error occurs in a report, an email will be sent to all email
addresses in the Error Notification Email Distribution List. A report
will also be generated showing the error message. This error report
will be saved to the Generated (Saved) Reports repository.
Click Add to add an email address to the list. Click Delete to
remove an email address from the list.
Error Notification From
Enter the email address from whom the Error Notification Email will
come.
When saving a scheduled report it will be saved to the User-Defined
Report Repository.
176
Reference
PRE-DEFINED REPORTS
Desktop Authority includes several pre-defined reports for use within
the Reporting tool. Pre-defined reports may be used as is or modified
to suit ones particular needs.
The pre-defined report set includes the following reports:
Administrative Audit Reports
Admin Audit - Administrator Activity
The Administrator Activity report details the activity of one or
more administrators. Collected operations include:
Type
Operation
Description
Profile
Add
A Profile has been
added.
Profile
Update
A Profile has been
changed.
Profile
Delete
A Profile has been
deleted.
Profile
ForceUnlock
A Profile has been
unlocked by another
user.
Profile
Published
A Profile has been
replicated to the Domain
Controllers.
ProfileElement
Add
An Element has been
added to a profile.
ProfileElement
Update
An Element has been
changed in a profile.
ProfileElement
Delete
An Element has been
deleted from a profile.
User
Add
A User or group has been
added to the Super
User/Group list.
User
Update
A User or group has been
updated in the Super
User/Group list.
User
Delete
A User or group has been
deleted from the Super
User/Group list.
Role
Add
A Role has been added to
the Roles table.
177
Administrator's Guide
Role
Update
A Role has been updated
in the Roles table.
Role
Delete
A Role has been deleted
from the Roles table.
Role
ForceUnlock
A Record lock has been
removed by another user.
RoleUser
Add
A SID has been added to
the RoleUsers table.
RoleUser
Update
A SID has been updated
in the RoleUsers table.
RoleUser
Delete
A SID has been deleted
from the RoleUsers
table.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
178
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Reference
Sample report:
179
Administrator's Guide
Admin Audit - Profiles
The Profile Activity report details the activity executed on one or
all profiles. The activities detailed are Profile Add, Update, Delete,
Unlock and Replicate, and Profile Element Add, Update and Delete.
The report includes the date and time the operation took place, the
actual operation along with a description of the operation, the profile
acted upon and the administrator that performed the operation.
The Profile Activity report prompts the user for the Name of the
Profile to report on as well as the Start and End Date range to
include in the report. By default, the Profile Activity report is sorted
in Log Time order.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
180
Reference
Admin Audit - Roles Maintenance
The Roles Maintenance report details the activity with respect to
adding, updating and deleting local and global roles. The activities
detailed are Profile Add, Update, Delete, Unlock and Replicate, and
Profile Element Add, Update and Delete. The report includes the
date and time the operation took place, the actual operation along
with a description of the operation, the profile acted upon and the
administrator that performed the operation.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
181
Administrator's Guide
Admin Audit - User Maintenance
The User Maintenance Audit report details the activity done by any
system user.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
182
Reference
Anti-Spyware Reports
Anti-Spyware Activity
The Anti-Spyware Activity report reports on data collected about
spyware found on client computers. The report contains a graphical
chart depicting the top 10 infected computers, categorized by threat
level.
The Anti-spyware Activity report prompts the user for the
Computer Name, Computer OU, Virtual Machine type, Scanned
Since date, Infection Result to report on as well as the Variant
Last Detected Starting and Variant Last Detected Ending Date
Range to include in the report.
This report is ordered by Threat Level, Variant Name, Computer
Name, Anti-Spyware Category, Infection File Name and Infection
Path.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
183
Administrator's Guide
Sample Report:
184
Reference
Anti-Spyware Activity - Summary Page
The Anti-Spyware Activity - Summary Page report consists of a
graphical chart depicting the top 10 infected computers, categorized
by threat level and the top 10 infections by threat level.
The Anti-spyware Activity report prompts the user for the
Computer Name, Virtual Machine type, Scanned Since data and
Infection Result to report on as well as the Last Detected
Starting and Last Detected Ending Date Range to include in the
report.
This report is ordered by Threat Level, Variant Name, Computer
Name, Anti-Spyware Category, Infection File Name and Infection
Path.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
185
Administrator's Guide
Sample Report:
186
Reference
Hardware Inventory Reports
Hardware Inventory - by Component
The Hardware Inventory - Detailed by Component report
reports on data collected from computers logging onto the network.
The report details each computer's installed hardware.
The Hardware Inventory - Detailed by Component report prompts
the user for the Computer Name, Computer OU, Virtual
Machine, Virtual Environment, Operating System, Service
Pack, Platform, Computer Model, NIC Model, Display Type,
RAM and Scanned Since date.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
187
Administrator's Guide
Sample Report:
188
Reference
Hardware Inventory - Detailed
The Hardware Inventory - Detailed report reports on data
collected from computers logging onto the network. The report
details each computer's installed hardware.
The Hardware Inventory - Detailed report prompts the user for the
Computer Name, Computer OU, Virtual Machine type, Virtual
Environment, Operating System, Computer Platform and
Scanned Since Date.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
189
Administrator's Guide
Sample Report:
190
Reference
Hardware Inventory - Computers Missing
The Hardware Inventory - Computers Missing report lists
computers that were detected by Desktop Authority at one time on
the network, but are no longer found to be active. For example, if
Computer X was found on the network everyday for a couple weeks
and then was not found at all for the next 2 weeks, Computer X
would show as a computer that was not found within the last week.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
191
Administrator's Guide
Hardware Inventory -Detailed - Summary Page
The Hardware Inventory - Detailed - Summary Page report
reports on data collected from computers logging onto the network.
The report includes a summary of the Operating Systems, Physical
Memory, Processors and Computer Classes and is followed by the
details for each computer.
The Hardware Inventory - Detailed - Summary Page report prompts
the user for the Computer Name, Computer OU, Virtual
Machine type, Operating System, Computer Platform and
Scanned Since Date.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
192
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Reference
Sample Report:
193
Administrator's Guide
Hardware Inventory - Detailed with Virtual Machines
The Hardware Inventory (Detailed with Virtual Machines)
report reports on data collected from computers logging onto the
network. The report details each computer's installed hardware.
The Hardware Inventory (Detailed with Virtual Machines) report
prompts the user for the Computer Name, Computer OU, Virtual
Machine type, Virtual Environment, Operating System,
Computer Platform and Scanned Since Date.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
194
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Reference
Sample Report:
195
Administrator's Guide
Hardware Inventory - Excel Optimized
The Hardware Inventory - Excel Optimized report reports on
data collected from computers logging onto the network. The report
details each computer's basic hardware and is optimized for use in
Microsoft Excel.
The Hardware Inventory - Excel Optimized report prompts the user
for the Computer Name, Virtual Machine type, Scanned Since
Date and Computer Platform
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
Viewed in Desktop Authority
Imported into Excel
196
Reference
Hardware Inventory - Monitors
The Hardware Inventory - Monitors report reports on data
collected from computers logging onto the network.
The Hardware Inventory - Monitors report prompts the user for the
Computer Name, Computer OU, Virtual Machine
type,Computer Platform and Scanned Since Date.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
197
Administrator's Guide
Sample Report:
198
Reference
Hardware Inventory - Summary
The Hardware Inventory - Summary report reports on data
collected from computers logging onto the network. The report
summarizes each computer's name, class, manufacturer, model,
memory, operating system and the date it was last scanned.
The Hardware Inventory - Summary report prompts the user for the
Computer Name, Virtual Machine type, Scanned Since and
Computer Platform.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
199
Administrator's Guide
Hardware Inventory - Vista Compatibility
The Hardware Inventory - Vista Compatibility report presents
data collected from computers that have logged on to the network.
The report lists computers that meet the minimum requirements of
Microsoft's Vista operating system. This report checks specifically for
a computer that has a processor clock speed that is greater than or
equal 800 MHz, greater than or equal 512 MB RAM, greater than or
equal 20GB hard drive size, greater than or equal 15GB hard drive
free space and a CD-ROM drive. This report is intended to be used
to determine which computers are compatible with Microsoft Vista
per Microsoft's published minimum requirements.
The Hardware Inventory - Vista Compatibility report prompts the
user for the Scanned Since date, Computer Name, Computer
OU, Computer Platform and Virtual Machine type.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
200
Reference
Hardware Inventory - Vista Incompatibility
The Hardware Inventory - Vista Incompatibility report presents
data collected from computers that have logged on to the network.
The report lists computers that do not meet the minimum
requirements of Microsoft's Vista operating system. This report
checks specifically for a computer that has a processor clock speed
that is less than 800 MHz, less than 512 MB RAM, less than 20GB
hard drive size, less than 15GB hard drive free space or no CD-ROM
drive. This report is intended to be used to determine which
computers need to be upgraded to work successfully with Microsoft
Vista.
The Hardware Inventory - Vista Incompatibility report prompts the
user for the Computer Name, Computer OU, Scanned Since,
Virtual Machine type and Computer Platform.
Report Parameters:
All character based parameter values can make use of a % wildcard
value. A % symbol can be added to the beginning and/or end of a
phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
201
Administrator's Guide
Sample Report:
202
Reference
Managed Computer Inventory
The Managed Computer Inventory report summarizes all clients
including terminal servers that have been configured by Desktop
Authority. The Inventory list is broken up into three categories, a)
desktops directly managed by Desktop Authority, b) computers
connecting to Terminal Servers managed by Desktop Authority and
c) Terminal Servers directly managed by Desktop Authority.
The Managed Computer Inventory report prompts the user to filter
on Computer Name, Last Detected date, Virtual Machine type
and Computer Platform.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
203
Administrator's Guide
Miscellaneous Reports
Logging - Default
The Logging report is used to track information about users logging
onto the network and the computer they are logging from. The
specific data collected can be customized within the Logging profile
object. The default collection data set includes:
•
Current date
•
Current time
•
Authenticating Domain controller
•
Connection Method
•
Computer name
•
Computer type
•
TCP/IP address
•
CPU type
•
CPU speed
•
Physical RAM
•
System drive
•
Verbose Operating System version
•
Current service pack
•
Current hot fixes
•
Internet Explorer version
•
User ID
•
User's full name
•
User account description
•
Event Type
This report is included for use with legacy systems that use
the logging data files (.CSV) from prior versions of Desktop
Authority. This report can also be used to export data to
Excel or other systems for further manipulation and/or
study.
Report Parameters:
There are no runtime parameters for this report.
Sample Report:
204
Reference
Energy Efficiency Audit
The Energy Efficiency Audit report demonstrates the estimated
energy savings using Desktop Authoritys Power Schemes feature, as
well as documents the number and names of managed computers
for use by Utility Companies for energy efficiency rebates.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
205
Administrator's Guide
Sample Report:
206
Reference
Power Management Savings Calculator
The Power Management Savings Calculatorpresents data
collected from computers that have logged on to the network. The
report details the enterprise's potential cost savings based on the
Power Management settings specified in the report parameters
dialog.
Report Parameters:
207
Administrator's Guide
Sample Report:
Report Template (Landscape/Portrait)
The ReportTemplateLandcape and ReportTemplatePortrait
reports are template reports that are used with the User-Defined
Report Wizard. These reports should not be modified.
208
Reference
Patch Management Reports
Patch Management Status - Executive Summary
The Patch Management Status report reports on data collected
regarding missing Operating System and application patches. The
report contains a graphical chart depicting the top 10 computers
with missing patches by Severity and the top 10 missing patches by
severity.
The Patch Status report prompts the user for the Computer Name
to report on as well as the Scanned Since,Status and Last
Detected date to include in the report.
This report is ordered by Computer Name, Patch Status, Severity
and Product.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
209
Administrator's Guide
Patch Management Status
The Patch Management Status report reports on data collected
regarding missing Operating System and application patches.
The Patch Status report prompts the user for the Computer Name
to report on as well as the Scanned Since,Status and Last
Detected date to include in the report.
This report is ordered by Computer Name, Patch Status, Severity
and Product.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
210
Reference
Profile Reports
Profile Full Detail
The Profile Full Detail report details on selected objects and
elements for the specified profile(s). The report includes a Profile
Summary followed by each of the selected object element details
including Validation Logic, Created By, Last Modified Date and Last
Modified By.
The Profile Full Detail report prompts the user for the Profile
Name, Parent Profile Name and Profile Objects. All elements of
each profile and profile object are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
211
Administrator's Guide
Sample Report:
212
Reference
Profile Objects - Alerts
The Profile Object - Alerts report details all Alerts elements for
the specified profiles. The report includes a Profile Summary of each
profile containing Alerts elements followed by each element's details
including Validation Logic, Created By, Last Modified Date and Last
Modified By.
The Profile Object - Alerts report prompts the user for the Profile
Name and Parent Profile Name. All elements of each profile are
grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
213
Administrator's Guide
Profile Objects - Anti-Spyware
The Profile Object - Anti-Spyware report details all Anti-Spyware
elements for the specified profiles. The report includes a Profile
Summary of each profile containing Anti-Spyware elements followed
by each element's details including Validation Logic, Created By,
Last Modified Date and Last Modified By.
The Profile Object - Anti-Spyware report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
214
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Reference
Sample Report:
215
Administrator's Guide
Profile Objects - Common Folder Redirection
The Profile Object - Common Folder Redirection report details
all Common Folder Redirection elements for the specified profiles.
The report includes a Profile Summary of each profile containing
Common Folder Redirection elements followed by each element's
details including Validation Logic, Created By, Last Modified Date
and Last Modified By.
The Profile Object – Common Folder Redirection report prompts the
user for the Profile Name and Parent Profile Name. All elements
of each profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
216
Reference
Profile Objects - Display
The Profile Object - Display report details all Display elements for
the specified profiles. The report includes a Profile Summary of each
profile containing Display elements followed by each element's
details including Validation Logic, Created By, Last Modified Date
and Last Modified By.
The Profile Object - Display report prompts the user for the Profile
Name and Parent Profile Name. All elements of each profile are
grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
217
Administrator's Guide
Profile Objects - Drive Mappings
The Profile Object - Drive Mappings report details all Drives
elements for the specified profiles. The report includes a Profile
Summary of each profile containing Drives elements followed by
each element's details including Validation Logic, Created By, Last
Modified Date and Last Modified By.
The Profile Object - Drive Mappings report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
218
Reference
Profile Objects - Environment
The Profile Object - Environment report details all Environment
elements for the specified profiles. The report includes a Profile
Summary of each profile containing Environmentelements followed
by each element's details including Validation Logic, Created By,
Last Modified Date and Last Modified By.
The Profile Object - Environment report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
219
Administrator's Guide
Profile Objects - File Operations
The Profile Object - File Operations report details all File
Operations elements for the specified profiles. The report includes a
Profile Summary of each profile containing File Operations elements
followed by each element's details including Validation Logic,
Created By, Last Modified Date and Last Modified By.
The Profile Object - File Operations report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
220
Reference
Profile Objects - File/Registry Permissions
The Profile Object - File/Registry Permissions report details all
Permissions elements for the specified profiles. The report includes a
Profile Summary of each profile containing Permissions elements
followed by each element's details including Validation Logic,
Created By, Last Modified Date and Last Modified By.
The Profile Object - File/Registry Permissions report prompts the
user for the Profile Name and Parent Profile Name. All elements
of each profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
221
Administrator's Guide
Profile Objects - Folder Redirection
The Profile Object - Folder Redirection report details all Folder
Redirection elements for the specified profiles. The report includes a
Profile Summary of each profile containing Folder Redirection
elements followed by each element's details including Validation
Logic, Created By, Last Modified Date and Last Modified By.
The Profile Object - Folder Redirection report prompts the user for
the Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
222
Reference
Profile Objects - General
The Profile Object - General report details all General elements
for the specified profiles. The report includes a Profile Summary of
each profile containing General elements followed by each element's
details including Validation Logic, Created By, Last Modified Date
and Last Modified By.
The Profile Object - General report prompts the user for the Profile
Name and Parent Profile Name. All elements of each profile are
grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
223
Administrator's Guide
Sample Report:
224
Reference
Profile Objects - Group Policy Templates
The Profile Object - Group Policy Templates report details all
Group Policy Template elements for the specified profiles. The report
includes a Profile Summary of each profile containing Group Policy
Template elements followed by each element's details including
Validation Logic, Created By, Last Modified Date and Last Modified
By.
The Profile Object - Group Policy Templates report prompts the user
for the Profile Name and Parent Profile Name. All elements of
each profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
225
Administrator's Guide
Profile Objects - Inactivity
The Profile Object - Inactivity report details all Inactivity
elements for the specified profiles. The report includes a Profile
Summary of each profile containing Inactivity elements followed by
each element's details including Validation Logic, Created By, Last
Modified Date and Last Modified By.
The Profile Object - Inactivity report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
226
Reference
Profile Objects - INI Files
The Profile Object - INI Files report details all INI File elements
for the specified profiles. The report includes a Profile Summary of
each profile containing INI File elements followed by each element's
details including Validation Logic, Created By, Last Modified Date
and Last Modified By.
The Profile Object - INI Files report prompts the user for the Profile
Name and Parent Profile Name. All elements of each profile are
grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
227
Administrator's Guide
Profile Objects - Internet Explorer Settings
The Profile Object - Internet Explorer Settings report details all
Internet elements for the specified profiles. The report includes a
Profile Summary of each profile containing Internet elements
followed by each element's details including Validation Logic,
Created By, Last Modified Date and Last Modified By.
The Profile Object - Internet Explorer Settings report prompts the
user for the Profile Name and Parent Profile Name. All elements
of each profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
228
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Reference
Sample Report:
229
Administrator's Guide
Profile Objects - Application Launcher
The Profile Object - Application Launcher report details all
Application Launcher elements for the specified profiles. The report
includes a Profile Summary of each profile containing Application
Launcher elements followed by each element's details including
Validation Logic, Created By, Last Modified Date and Last Modified
By.
The Profile Object - Application Launcher report prompts the user for
the Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
230
Reference
Profile Objects - Legal Notice
The Profile Object - Legal Notice report details all Legal Notice
elements for the specified profiles. The report includes a Profile
Summary of each profile containing Legal Notice elements followed
by each element's details including Validation Logic, Created By,
Last Modified Date and Last Modified By.
The Profile Object - Legal Notice report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
231
Administrator's Guide
Profile Objects - Logging
The Profile Object - Logging report details all Logging elements
for the specified profiles. The report includes a Profile Summary of
each profile containing Logging elements followed by each element's
details including Validation Logic, Created By, Last Modified Date
and Last Modified By.
The Profile Object - Logging report prompts the user for the Profile
Name and Parent Profile Name. All elements of each profile are
grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
232
Reference
Profile Objects - Message Boxes
The Profile Object - Message Boxes report details all Message
Boxes elements for the specified profiles. The report includes a
Profile Summary of each profile containing Message Boxes elements
followed by each element's details including Validation Logic,
Created By, Last Modified Date and Last Modified By.
The Profile Object - Message Boxes report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
233
Administrator's Guide
Profile Objects - Microsoft Office Settings
The Profile Object - Microsoft Office Settings report details all
Microsoft Office elements for the specified profiles. The report
includes a Profile Summary of each profile containing Microsoft
Office elements followed by each element's details including
Validation Logic, Created By, Last Modified Date and Last Modified
By.
The Profile Object - Microsoft Office Settings report prompts the user
for the Profile Name and Parent Profile Name. All elements of
each profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
234
Reference
Profile Objects - Microsoft Outlook Profiles
The Profile Object - Microsoft Office Profiles report details all
Mail Profile elements for the specified profiles. The report includes a
Profile Summary of each profile containing Mail Profile elements
followed by each element's details including Validation Logic,
Created By, Last Modified Date and Last Modified By.
The Profile Object - Microsoft Office Profiles report prompts the user
for the Profile Name and Parent Profile Name. All elements of
each profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
235
Administrator's Guide
Sample Report:
236
Reference
Profile Objects - Microsoft Outlook Settings
The Profile Object - Microsoft Outlook Settings report details all
Outlook elements for the specified profiles. The report includes a
Profile Summary of each profile containing Outlook elements
followed by each element's details including Validation Logic,
Created By, Last Modified Date and Last Modified By.
The Profile Object - Microsoft Outlook Settings report prompts the
user for the Profile Name and Parent Profile Name. All elements
of each profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
237
Administrator's Guide
Sample Report:
238
Reference
Profile Objects - Patch Management
The Profile Object - Patch Management report details all Patch
Management elements for the specified profiles. The report includes
a Profile Summary of each profile containing Patch Management
elements followed by each element's details including Validation
Logic, Created By, Last Modified Date and Last Modified By.
The Profile Object - Patch Management report prompts the user for
the Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
239
Administrator's Guide
Profile Objects - Path
The Profile Object - Path report details all Path elements for the
specified profiles. The report includes a Profile Summary of each
profile containing Path elements followed by each element's details
including Validation Logic, Created By, Last Modified Date and Last
Modified By.
The Profile Object - Path report prompts the user for the Profile
Name and Parent Profile Name. All elements of each profile are
grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
240
Reference
Profile Objects - Post-Engine Scripts
The Profile Object - Post-Engine report details all Post-Engine
elements for the specified profiles. The report includes a Profile
Summary of each profile containing Post-Engine elements followed
by each element's details including Validation Logic, Created By,
Last Modified Date and Last Modified By.
The Profile Object - Post-Engine report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
241
Administrator's Guide
Profile Objects - Power Schemes
The Profile Object - Power Schemes report details all Power
Scheme elements for the specified profiles. The report includes a
Profile Summary of each profile containing Power Scheme elements
followed by each element's details including Validation Logic,
Created By, Last Modified Date and Last Modified By.
The Profile Object - Power Schemes report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
242
Reference
Profile Objects - Pre-Engine Scripts
The Profile Object - Pre-Engine report details all Pre-Engine
elements for the specified profiles. The report includes a Profile
Summary of each profile containing Pre-Engine elements followed by
each element's details including Validation Logic, Created By, Last
Modified Date and Last Modified By.
The Profile Object - Pre-Engine report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
243
Administrator's Guide
Profile Objects - Printers
The Profile Object - Printer report details all Printer elements for
the specified profiles. The report includes a Profile Summary of each
profile containing Printer elements followed by each element's
details including Validation Logic, Created By, Last Modified Date
and Last Modified By.
The Profile Object - Printer report prompts the user for the Profile
Name and Parent Profile Name. All elements of each profile are
grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
244
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Reference
Sample Report:
245
Administrator's Guide
Profile Objects - Registry
The Profile Object - Registry report details all Registry elements
for the specified profiles. The report includes a Profile Summary of
each profile containing Registry elements followed by each element's
details including Validation Logic, Created By, Last Modified Date
and Last Modified By.
The Profile Object - Registry report prompts the user for the Profile
Name and Parent Profile Name. All elements of each profile are
grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
246
Reference
Profile Objects - Remote Management
The Profile Object - Remote Management report details all
Remote Management elements for the specified profiles. The report
includes a Profile Summary of each profile containing Remote
Management elements followed by each element's details including
Validation Logic, Created By, Last Modified Date and Last Modified
By.
The Profile Object - Remote Management report prompts the user
for the Profile Name and Parent Profile Name. All elements of
each profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
247
Administrator's Guide
Sample Report:
248
Reference
Profile Objects - Security Policies
The Profile Object - Security Policies report details all Security
Policy elements for the specified profiles. The report includes a
Profile Summary of each profile containing Security Policy elements
followed by each element's details including Validation Logic,
Created By, Last Modified Date and Last Modified By.
The Profile Object - Security Policies report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
249
Administrator's Guide
Profile Objects - Service Pack Deployment
The Profile Object - Service Pack Deployment report details all
Service Pack elements for the specified profiles. The report includes
a Profile Summary of each profile containing Service Pack elements
followed by each element's details including Validation Logic,
Created By, Last Modified Date and Last Modified By.
The Profile Object - Service Pack Deployment report prompts the
user for the Profile Name and Parent Profile Name. All elements
of each profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
250
Reference
Profile Objects - Shortcuts
The Profile Object - Shortcuts report details all Shortcut elements
for the specified profiles. The report includes a Profile Summary of
each profile containing Shortcut elements followed by each
element's details including Validation Logic, Created By, Last
Modified Date and Last Modified By.
The Profile Object - Shortcut report prompts the user for the Profile
Name and Parent Profile Name. All elements of each profile are
grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
251
Administrator's Guide
Sample Report:
252
Reference
Profile Objects - Software Management
The Profile Object - Software Management report details all
Software Deployment elements for the specified profiles. The report
includes a Profile Summary of each profile containing Software
Deployment elements followed by each element's details including
Validation Logic, Created By, Last Modified Date and Last Modified
By.
The Profile Object - Software Management report prompts the user
for the Profile Name and Parent Profile Name. All elements of
each profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
253
Administrator's Guide
Sample Report:
254
Reference
Profile Objects - Time Sync
The Profile Object - Time Sync report details all Time Sync
elements for the specified profiles. The report includes a Profile
Summary of each profile containing Time Sync elements followed by
each element's details including Validation Logic, Created By, Last
Modified Date and Last Modified By.
The Profile Object - Time Sync report prompts the user for the
Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
255
Administrator's Guide
Profile Objects - USB/Port Security
The Profile Object - USB/Port Security report details all
USB/Port Security elements for the specified profiles. The report
includes a Profile Summary of each profile containing the USB/Port
Security elements followed by each element's details including
Validation Logic, Created By, Last Modified Date and Last Modified
By.
The Profile Object - USB/Port Security report prompts the user for
the Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
256
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Reference
Sample Report:
257
Administrator's Guide
Profile Objects - Windows Firewall
The Profile Object - Windows Firewall report details all Windows
Firewall elements for the specified profiles. The report includes a
Profile Summary of each profile containing Windows Firewall
elements followed by each element's details including Validation
Logic, Created By, Last Modified Date and Last Modified By.
The Profile Object - Windows Firewall report prompts the user for
the Profile Name and Parent Profile Name. All elements of each
profile are grouped together.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
258
Reference
Profiles Summary
The Profiles Summary summarized all existing profiles in the
Manager. The report includes the following profile information:
Profile Name, Parent Profile Name, Child Profiles, Last Modified Date
and Profile Validation Logic.
The Profiles Summary prompts the user for the Profile Name and
Parent Profile Name.
This report is ordered by Profile Name.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
259
Administrator's Guide
Software Inventory Reports
Software Inventory - Summary Page
The Software Inventory - Summary Page report reports on data
collected from computers logging onto the network. The report
details each computer's installed software. The report includes
graphical representation of the Software installed on computers
reported on and the number of installations for each application. It
is followed by the software details for each computer.
The Software Inventory report prompts the user for the Scanned
Since, Computer Name and Virtual Machine type.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
260
Reference
Software Inventory - Total Installations
The Software Inventory - Total Installations report reports on
data collected regarding installed applications. The report counts the
various applications on each desktop based on collected data.
The Software Inventory - Total Installations report prompts the user
for the Report Date to include Computer Name, Computer OU,
Virtual Machine type, Scanned Since and Software Name.
This report is ordered by Software Name and Number of
Installations in descending order.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
261
Administrator's Guide
Software Inventory - Total Installations with Computer List
The Software Inventory - Total Installations with Computer
List report reports on data collected from computers logging onto
the network. The report details each computer's installed software,
sorted by Software Name..
The Software Inventory report prompts the user for the Computer
Name, Computer OU, Virtual Machine type, Scanned Since
and Software Name.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
262
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Reference
Sample Report:
263
Administrator's Guide
Software Inventory including Updates and Hotfixes
The Software Inventory including Hotfixes and Updates)
report reports on data collected from computers logging onto the
network. The report details each computer's installed software.
The Software Inventory report prompts the user for the Computer
Name, Computer OU, Virtual Machine type, Scanned Since and
Software Name.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
264
Reference
Software Inventory with Last User including Updates and Hotfixes
The Software Inventory with Last User (includes Updated)
report reports on data collected from computers logging onto the
network. The report details each computer's installed software.
The Software Inventory report prompts the user for the Computer
Name, Computer OU, Virtual Machine type, Scanned Since
date and Software Name.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
265
Administrator's Guide
Software Inventory with Last User
The Software Inventory with Last User report reports on data
collected from computers logging onto the network. The report
details each computer's installed software.
The Software Inventory report prompts the user for the Computer
Name, Computer OU, Virtual Machine type, Scanned Since
date, and Software Name.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
266
Reference
Software Inventory
The Software Inventory report reports on data collected from
computers logging onto the network. The report details each
computer's installed software.
The Software Inventory report prompts the user for the Computer
Name, Computer OU, Virtual Machine type, Scanned Since
date, and Software Name.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
267
Administrator's Guide
Software Management Reports
Software Management - Detailed By Product
The Software Management - Detailed By Product report details
the packages that have been deployed by a Software Management
configuration element.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
268
Reference
Software Management - Summary
The Software Management - Summary report lists the software
packages deployed by a Software Management configuration
element.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
269
Administrator's Guide
USB-Port Security Reports
All USB Devices
The USB-Port Security - All USB Devices report lists all USB
devices attached to a computer on the network.
The USB-Port Security - All Device Events report prompts the
user for the Computer Name, Event type, Virtual Machine type,
Computer type and Logged Since date to report on.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
270
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Reference
Sample Report:
271
Administrator's Guide
All USB Devices by Computer
The USB-Port Security - All USB Devices By Computer report
lists all USB devices attached to a computer on the network.
The USB-Port Security - All Device Events report prompts the
user for the Computer Name, Event type, Virtual Machine type,
Computer type and Logged Since date to report on.
The report is sorted by Computer Name.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
272
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Reference
Sample Report:
273
Administrator's Guide
All USB Devices by User
The USB-Port Security - All USB Devices By User report lists all
USB devices attached to a computer on the network.
The USB-Port Security - All Device Events report prompts the
user for the Computer Name, Event type, Virtual Machine type,
Computer type and Logged Since date to report on.
The report is sorted by Computer Name.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
274
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Reference
Sample Report:
275
Administrator's Guide
USB-Port Security - All Device Events
The USB-Port Security - All Device Events report reports on data
collected about the following device events: Plugin / Powerup,
Unplug / Disable, Device Disabled, Device Enabled, Read and Write
Denied and Read and Write Allowed. Filenames will be reported on
all read and write events to a removable storage device.
The USB-Port Security - All Device Events report prompts the
user for the Event type, Virtual Machine type, Computer type
and Scanned Since date to report on.
This report is ordered by Log Time.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
276
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Reference
Sample Report:
277
Administrator's Guide
USB-Port Security - Classes Denied
The USB-Port Security - Classes Denied report reports on data
collected about denied and disabled device events per class of
device. Device classes include Blackberry, Bluetooth, CD/DVD,
Firewire, Floppy Disks, Hard Disk Drives, Infrared ports, IoMega
devices, MP3 Players, Modems, PCMCIA controllers, Palm OS
Devices, Parallel ports, Pocket PC devices, Removable storage
devices, Serial ports, USB storage and WiFi devices.
The USB-Port Security - Classes Denied report prompts the user
for the Scanned Since date to report on. The report can also be run
for All machines, Virtual Machines only or Non-virtual Machines only.
This report is grouped by Class and sorted by Device Description.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
278
Reference
USB-Port Security - Detailed By Class
The USB-Port Security - Detailed by Class report reports on data
collected about each class of devices. Device classes include
Blackberry, Bluetooth, CD/DVD, Firewire, Floppy Disks, Hard Disk
Drives, Infrared ports, IoMega devices, MP3 Players, Modems,
PCMCIA controllers, Palm OS Devices, Parallel ports, Pocket PC
devices, Removable storage devices, Serial ports, USB storage and
WiFi devices.
The USB-Port Security - Detailed by Class report prompts the
user for the Scanned Since date to report on. The report can also be
run for All machines, Virtual Machines only or Non-virtual Machines
only.
This report is grouped by Class and sorted by Device Description.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
279
Administrator's Guide
Sample Report:
280
Reference
USB-Port Security - Detailed By Computer
The USB-Port Security - Detailed by Computer report reports on
data collected about each class of devices. Device classes include
Blackberry, Bluetooth, CD/DVD, Firewire, Floppy Disks, Hard Disk
Drives, Infrared ports, IoMega devices, MP3 Players, Modems,
PCMCIA controllers, Palm OS Devices, Parallel ports, Pocket PC
devices, Removable storage devices, Serial ports, USB storage and
WiFi devices.
The USB-Port Security - Detailed by Computer report prompts
the user for the Scanned Since date to report on. The report can
also be run for All machines, Virtual Machines only or Non-virtual
Machines only.
This report is grouped by Computer Name and Class and sorted by
Device Description.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
281
Administrator's Guide
Sample Report:
282
Reference
USB-Port Security - Detailed By User
The USB-Port Security - Detailed by User report reports on data
collected about each class of devices. Device classes include
Blackberry, Bluetooth, CD/DVD, Firewire, Floppy Disks, Hard Disk
Drives, Infrared ports, IoMega devices, MP3 Players, Modems,
PCMCIA controllers, Palm OS Devices, Parallel ports, Pocket PC
devices, Removable storage devices, Serial ports, USB storage and
WiFi devices.
The USB-Port Security - Detailed by User report prompts the
user for the Scanned Since date to report on. The report can also be
run for All machines, Virtual Machines only or Non-virtual Machines
only.
This report is grouped by User Domain, User Name and Class and
sorted by Device Description.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
283
Administrator's Guide
Sample Report:
284
Reference
USB-Port Security - Detailed By User (Fixed Devices)
The USB-Port Security - Detailed by User (Fixed Devices)
report reports on data collected about all Fixed device classes.
The USB-Port Security - Detailed by User (Fixed Devices)
report prompts the user for the Scanned Since date to report on.
The report can also be run for All machines, Virtual Machines only or
Non-virtual Machines only.
This report is grouped by User Domain, User Name and Class and
sorted by Device Description.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
285
Administrator's Guide
USB-Port Security - Detailed By User (Portable Devices)
The USB-Port Security - Detailed by User (Portable Devices)
report reports on data collected about all Portable device classes,
USB and Firewire.
The USB-Port Security - Detailed by User (Portable Devices)
report prompts the user for the Scanned Since date to report on.
The report can also be run for All machines, Virtual Machines only or
Non-virtual Machines only.
This report is grouped by User Domain, User Name and Class and
sorted by Device Description.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
286
Reference
USB-Port Security - Top 10 Denied
The USB-Port Security - Top 10 Denied report is a graphical
report displaying the Top 10 Devices Attempted to be Used but
Restricted and the Top 10 Users Attempting to use a Restricted
Device. The Top 10 Devices Attempted to be Used but Restricted
graph is grouped by device class. The Top 10 Users Attempting to
use a Restricted Device is grouped by User Domain/User Name.
The USB-Port Security - Top 10 Denied report prompts the user
for the Scanned Since date to report on. The report can also be run
for All machines, Virtual Machines only or Non-virtual Machines only.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
287
Administrator's Guide
USB-Port Security - Users Denied
The USB-Port Security - Users Denied report reports on data
collected about Users that generated denied and/or disabled device
events. The report is grouped by User Domain, User Name, Class
Description and Device Description.
The USB-Port Security - Users Denied report prompts the user
for the Scanned Since date to report on. The report can also be run
for All machines, Virtual Machines only or Non-virtual Machines only.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
288
Reference
USB-Port Security - Users Denied (Fixed Devices)
The USB-Port Security - Users Denied(Fixed Devices) report
reports on data collected about Users that generated denied and/or
disabled device events. The report is grouped by User Domain, User
Name, Class Description and Device Description.
The USB-Port Security - Users Denied (Fixed Devices) report
prompts the user for the Scanned Since date to report on. The
report can also be run for All machines, Virtual Machines only or
Non-virtual Machines only.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
289
Administrator's Guide
USB-Port Security - Users Denied (Portable Devices)
The USB-Port Security - Users Denied(Portable Devices)
report reports on data collected about Users that generated denied
and/or disabled device events. The report is grouped by User
Domain, User Name, Class Description and Device Description.
The USB-Port Security - Users Denied (Portable Devices)
report prompts the user for the Scanned Since date to report on.
The report can also be run for All machines, Virtual Machines only or
Non-virtual Machines only.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
290
Reference
User Activity Reporting
User Activity - Machine User Usage
The User Activity - Machine User Usage report details user
activity on each computer. Total active and inactive session times
are calculated. Total active time per session is the time between
logon or unlock to lock or logoff. Total inactive time is (total working
hours for the time period) (total active time for the time period).
Usage events are grouped by computer and then by each user of the
computer.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
291
Administrator's Guide
User Activity - Summary Page
The User Activity - Summary Page report displays, graphically,
user activity across multiple computers. Usage events are grouped
by user, then by each computer they have logged on to. Total active
time is tallied for all computers. Total active time per session is
(login or unlock) to (lock or logoff). Total inactive time is (total
working hours for the time period) (total active time for the time
period) (no lower than 0).
This report can be used for scenarios where users log on to multiple
computers over the course of the working hours period, ie. when a
user uses a different computer every day over the course of a week.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
292
Reference
User Activity - User Machine Usage
The User Activity - User Machine Usage report details user
activity over multiple computers. Total active and inactive session
times are calculated. Total active time per session is the time
between logon or unlock to lock or logoff. Total inactive time is
(total working hours for the time period) (total active time for the
time period).
Usage events are grouped by user and then by each computer the
user has logged on to.
This tends to be a large report. It may be necessary to
narrow down the report parameters by user, computer or a
smaller date range.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
293
Administrator's Guide
User Activity Per Computer - Summary Page
The User Activity Per Computer - Summary Page report
displays, graphically, the top 10 inactive users and top 10 active
users. Total active and inactive session times are calculated. Total
active time per session is the time between logon or unlock to lock
or logoff. Total inactive time is (total working hours for the time
period) (total active time for the time period).
This report can be used for scenarios where a user may be logged
into more than one workstation at one time.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
294
Reference
User Activity Per Computer
The User Activity Per Computer report details user activity on
each computer that the user has logged on to and tallies active time
for each computer. Total active and inactive session times are
calculated. Total active time per session is the time between logon
or unlock to lock or logoff. Total inactive time is (total working hours
for the time period) (total active time for the time period).
This report can be used for scenarios where a user may be logged
into more than one workstation at one time.
The report is grouped by User ID and Computer ID.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return everything that ends with RD
will return everything that starts with RD
will return everything that contains the characters RD
Sample Report:
295
Administrator's Guide
User Activity
The User Activity report details user activity across multiple
computers. Usage events are grouped by user then by each
computer they have logged on to. Total active time is tallied for all
computers. Total active time per session is (login or unlock) to (lock
or logoff). Total inactive time is (total working hours for the time
period) (total active time for the time period) (no lower than 0).
This report can be used for scenarios where users log on to multiple
computers over the course of the working hours period, ie. when a
user uses a different computer every day over the course of a week.
The report is grouped by User and is sorted by UserId, Computer
Domain, Computer Name and Activity Time.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
296
Reference
User Logins
The User Logins report details user logins across the enterprise.
This report can be used to sum the number of logins per User Name,
Domain, OU, or Group based on the date the user last logged in.
Report Parameters:
All character based parameter values can make use of a %
wildcard value. A % symbol can be added to the beginning and/or
end of a phrase.
%RD
RD%
%RD%
will return anything that ends with RD
will return anything that starts with RD
will return anything that contains the characters RD
Sample Report:
297
Administrator's Guide
Configuring Profiles
ALERTS
The Alerts object allows for the custom configuration of warning and
notification messages (events) that Desktop Authority may display
during the logon process. The event message text may be customized
and a notification may be posted to the client and/or designated
Administrator via the event log, popup message box or email.
Event Configuration
Event
Select the event to customize from the Event list. Once the event is
selected all options on the dialog box reflect the settings for that
event.
Click the Reset to Default button to reset the options for the
selected event to the system defaults.
298
Reference
Alert Title
Type in static text or press the F2 key to select a dynamic variable.
The window title is displayed at the top of an Alert's popup message
box.
299
Administrator's Guide
Type
Select a message box type from the list. Choose from Information,
Question, Warning, or Error. Each type displays an icon to the left of
the message. The types use the following icons in the message box:
Information
Question
Warning
Error
Alert Text
Enter the text to be displayed in the message box. Dynamic
variables can be used in conjunction with any other text or dynamic
variable(s). Press the F2 key to select a dynamic variable.
Destination
Select a destination for the event notification. Leave all destinations
cleared to disable the event notification.
Display a popup message to the user logging on
Select this check box to enable a popup message box to display on
the clients desktop. The message box will be displayed when the
selected event occurs during the client logon process. Clear this
check box to disable the popup alert.
Timeout (seconds)
Timeout is available when the Client Message Box notification
destination is selected. Enter a numeric value representing the
number of seconds the message box will display for. It will be
displayed for the specified number of seconds unless the OK button
is pressed before the timeout occurs.
Display a popup message to specific user(s) and/or
computer(s)
Select this check box to enable a popup message box to the
specified computers or users desktop. The message box will be
displayed when the selected event occurs regardless of the user
logging on. Clear this check box to disable this message box
notification.
Enter one or more computer names and/or user names that will
receive visual notification of the selected event. Each computer/user
should be delimited by a semicolon (;).
300
Reference
Write this alert to the client computer’s event log
Select this check box to enable event logging on the client
computer. The event will be logged when the selected event occurs
during the client logon process. Clear this check box to disable event
logging for the selected event.
Write this alert to the event log on one or more specific
computers
Select this check box to enable event logging to the specified
computers or users. The event will be logged when the selected
event occurs during any client logon process. Clear this check box to
disable event logging for the selected event.
Enter one or more computer names and/or user names that will
receive visual notification of the selected event. Each computer/user
should be delimited by a semicolon (;).
E-mail this alert to specific address(es)
Select this check box to enable e-mail alerts. Notification of the alert
will be e-mailed when the selected event occurs during any client
logon process. Clear this check box to disable e-mail alerts for the
selected event.
Enter one or more e-mail addresses to receive notification of the
selected event. Each e-mail address should be delimited by a
semicolon (;).
Global Alert Settings
SMTP Server
Enter the name of the SMTP server to be used to send e-mail
alert(s).
301
Administrator's Guide
ANTI-SPYWARE*
Spyware is software that gathers information from a computer without
the knowledge or consent of the computer's user. A large amount of
these spyware programs are malicious, gathering private and personal
information. These days, spyware is difficult to avoid and also difficult
to detect and remove. With the optional subscription service, Spyware
Detection and Removal, Desktop Authority's Anti-Spyware object
provides the ability to scan clients, detect unwanted spyware and
report on it. Desktop Authority will remove or quarantine suspected
spyware. Desktop Authority's spyware detection and removal
capability is based on the detection and removal engine from Sunbelt
Software.
The Anti-Spyware detection object cannot be configured to run on
Windows 98, Me, NT 4.0, Tablet PCs, Embedded PCs, Terminal
Servers, Member Servers or Domain Controllers (Windows 2000
Server, 2003 and 2008).
Anti-Spyware has the ability to scan client computers and report on
suspected spyware. The Anti-Spyware object does not allow suspected
spyware to be removed or quarantined from the system unless the
Anti-Spyware Subscription service is purchased. When the Update
Service is installed, the configured download servers will query
scriptlogic.com to determine the product mode and download updated
anti-spyware definition files when available.
Each scan on a client computer will create a log file named
SpywareItems.log. This log file is created on each client in the
\Program Files\ScriptLogic\Anti-Spyware folder. The log file should be
looked over to determine that all programs deemed to be spyware are
potential spyware programs. If a program is mistakenly believed to be
spyware it should be added to the Exclude list so it is not reported on
each time the scan is run. The next time a scan is run on the client the
program will be restored.
Periodically, an updated anti-spyware definition file will be retrieved
from the ScriptLogic web site. The definition file will contain the latest
known spyware agents. Getting Spyware definition updates requires
the use of the Update Service. The Update Service provides an avenue
to update client systems with files deployed by the MSI Packages
object, Patches as well as Anti-Spyware definition updates. Configure
the Update Service in Server Manager.
302
Reference
Settings
Scan Options
Quick
Select this box to perform a fast search on the system.
The system is scanned for anti-spyware in locations
that are most often affected by spyware.
Full
Select this box to perform a scan on custom options
Memory, Registry and Local Disks.
Custom
Customize scan options to include scanning of specific
hardware.
Memory
Select this box to include a search through all
running processes and attached processes during
logon or logoff to detect spyware. The time at
which memory is scanned depends upon the
selected Validation Logic Timing.
Registry
Select this box to include a search through the
registry files to detect spyware.
303
Administrator's Guide
Local Disks
Select this box to include a search through all
local drives to detect spyware. All files, including
cookies, will be scanned.
Removable Disks
Select this box to include a search through all
removable drives to detect spyware.
Real-time Process Monitor
Select this box to monitor memory for newly started processes.
When a new process is detected it is automatically scanned for
spyware.
Scan Action
Clean Action
The Clean Action tells the Anti-Spyware object how to
handle the results of the spyware scan.
•
Leave Alone (Log Only) - The log only mode will scan
the system for spyware and report on anything
found. All spyware that is found will remain on the
system. This mode is used for Evaluation versions
and systems that do not have a current AntiSpyware license.
•
Quarantine - Quarantining spyware results in moving
the found spyware programs to a folder on the
client. The spyware is moved and renamed so it can
not be found and detected in future scans. Spyware
programs are quarantined on the client computer in
the folder \Program Files\ScriptLogic\AntiSpyware\Quarantine. If a program is mistakenly
determined to be spyware it's variant name should
be put in the Exclude list. The next time a scan is run
on the client, the program will be automatically
restored.
•
Remove - The Remove option will perform a deletion
of all detected spyware programs from the system.
Once a program is removed, it cannot be restored.
Minimum threat to take action
Spyware programs are divided into several threat
levels based on the degree of malicious intent.
Selecting a minimum level from the list will force the
scan to only look for spyware with the selected threat
level and above. All spyware with a threat level lower
than the selected one will be ignored.
304
Reference
Excluded Spyware
The Excluded Spyware list is used to tell the anti-spyware object
which programs to ignore. This may include any programs that are
deemed to be spyware but are not, or a program which the
company determines to be safe to run on their clients.
Press Add to define the spyware variant name in the entry. The
Variant name of a detected spyware program can be found in the
SpywareItems.log file. This file is created on each client as the
spyware is run. The SpywareItems.log file contains information
regarding all spyware found on the client. Press Modify to edit an
entry in the Permissions list. Press Delete to remove an entry from
the Permissions list.
Delete items from quarantine older than xx days.
Specify a number of days in which the Quarantine
folder is to be cleaned. This folder contains all
quarantined programs deemed to be spyware.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
*This feature is a purchasable option for Desktop Authority. This
option is not available with Desktop Authority Express. Desktop
Authority users must upgrade to Desktop Authority in order to
purchase this option.
**If more than one Anti-Spyware element is validated for on a client,
only the last element in the list will be applied to the client. All other
elements will be ignored.
***Windows 95, 98, Me and NT4 clients are no longer supported.
305
Administrator's Guide
APPLICATION LAUNCHER
The Application Launcher object allows you to define and launch an
application on the client’s desktop after the logon script completes.
This is equivalent to placing a shortcut in the client’s Startup folder,
however, Desktop Authority performs this in a centralized fashion so
there is no need to visit each computer to set this up.
In addition to launching standard applications, such as Internet
Explorer or Outlook, the Application Launcher object is the perfect way
to update your client’s anti-virus signatures, using the update
executable supplied by the vendor of your anti-virus software.
The Desktop Authority Application Launcher object uses the RunOnce
registry key to queue programs for launching after the logon process is
complete. However, if Desktop Authority detects the client is
connecting over dial-up networking, the application is immediately
launched while the script continues to execute.
306
Reference
Settings
Filespec
Enter the complete path and filename where the application’s
to locate the executable’s path.
executable exists or click
Desktop Authority’s dynamic variable selection is available for this
field by pressing the F2 key.
Arguments
Enter any optional parameters (switches) to be passed to the
launched application.
Run as Administrator
Select this check box to run the application with Administrator
privileges. If the user logging on to the network does not normally
have Administrator privileges, the application will be executed using
Desktop Authority’s RunAs Admin service.
If this check box is cleared and the user does not have rights to
access or run the application, the application will not run.
Hide any screen output
Select this check box to hide any windows that would normally be
displayed by the application.
Launch asynchronously
Select this check box to run the application asynchronously. In
asynchronous mode, the applications will run at the same time. If
this check box is cleared, applications will run one after another.
Each application must complete before the next one will begin.
Show time-out message box prior to launching application
Select this box to pop up a message box before the application is
executed.
Window Title
Type in static text or press the F2 key to select a dynamic variable.
The window title is displayed at the top of the popup window.
Message
Enter the text to be displayed in the message box. Dynamic
variables can be used in conjunction with your text. Press the F2
key to select a dynamic variable.
307
Administrator's Guide
Message box will time-out after xx seconds
Optionally, specify the number of seconds for the message box to
be displayed. If there is no confirmation of the message box, the
message box will be closed and the application will automatically
be launched. Specifying 0 seconds will display the time-out
message box, until it is confirmed.
Cycle
Select a time interval for which the application will run. Choose from
Every time, Day of Week, Monthly (Day of Week), Monthly (Day of
Month) and Specific Date.
Selecting Every time as the cycle, will force the application to be
run each day each logon, logoff, refresh, shut down, and desktop
timing as specified in the Application Launcher validation logic.
Selecting Day of Week as the cycle, presents a new list allowing
the selection of a day from Sunday to Saturday.
Selecting Monthly (Day of Week) as the cycle, presents a new list
allowing the selection of a day in the month ranging from 1st
Sunday, 1st Monday, . . . to the 5th Saturday of the month.
Selecting Monthly (Day of Month) as the cycle, presents a new
list allowing the selection of a date within the month.
Selecting Specific Date as the cycle, presents an entry to which the
specific date should be entered. Press the arrow to make your date
selection from any calendar day.
Frequency
Select a logon frequency from the list. Select from Every time, Once
Per Day (User), Once Per Day (Computer), One Time (User) and
One Time (Computer).
Select Every time to launch the application every logon, logoff,
refresh, shut down, desktop.
Select Once Per Day (User) to launch the application at the
specified cycle, one time per day for the current user.
Select Once Per Day (Computer) to launch the application at the
specified cycle, one time per day for the computer.
Select One Time (User) to launch the application at the specified
cycle, a single time for the current user.
Select One Time (Computer) to launch the application at the
specified cycle, a single time for the computer.
308
Reference
Example:
To launch Outlook each time your users log on, select Everyday
from the first cycle prompt and Every Logon from the second.
Anti-virus updates need only be launched once on the selected
day. For this type of application, you would select Specific Date
and set the logon frequency to Once per day.
UID
The UID entry is used to make each entry in the Application
Launcher list a unique item, regardless of the application that is to
be launched. This is helpful in the execution of an application when
the Frequency is set to run Once Per Day or One Time. The data in
this entry is automatically generated and should not be modified.
However, if an entry in the list, that is set to run Once Per Day or
One Time, must be executed a second time, the UID can manually
be changed by clicking Generate New.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
309
Administrator's Guide
COMMON FOLDER REDIRECTION
The Common Folder Redirection object allows you to change the
location of where Windows NT*/2000/XP/2003/Vista/2008 computers
look for common specialized folders known as the All Users Shell
Folders.
Common Shell Folders are folders that are shared by all users of the
computer and include Common Application Data, Common Desktop,
Common Programs Group, Common Start Menu and the Common
Startup Group.
By default, Windows NT operating system locates common shell
folders under the All Users profile folder (C:\WinNT\Profiles\All Users\).
Windows 2000 also locates shell folders under the All Users profile,
however the base location of the All Users profile has been changed to
C:\Documents and Settings\All Users\. Windows 98/Me makes use of a
subset of the NT*/2000/XP/2003/Vista/2008 folders. Windows 95 does
not offer common shell folders.
By instructing the operating system to locate the Common Shell
Folders on a network share (or mapped drive), rather than the
computer’s own local hard drive, you allow users to access the
common portion of the Desktop, Start Menu and/or Program Group
regardless of the computer from which they log on to.
In addition to Common Shell Folders, Windows
NT*/2000/XP/2003/Vista/2008 also includes an individual set of shell
folders that are available to each user on each computer. Individual
user shell folders can be configured by Desktop Authority using the
Folder Redirection object.
310
Reference
Settings
Shell Folder
Select a shell folder from the Shell Folder list. Desktop Authority’s
dynamic variable selection is available for this field by pressing the
F2 key.
Redirect to Folder
Specify a path that the shell folder should be redirected to. The path
to
may be in the form of a path, mapped drive or UNC. Click
navigate to the path. Desktop Authority’s dynamic variable selection
is available for this field by pressing the F2 key.
Reset to Default
Select this check box to restore the redirected folder to the
operating system’s default location.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
**Windows 95, 98, Me and NT4 clients are no longer supported.
311
Administrator's Guide
DISPLAY
The Display object provides several options that control general
operating system settings including the desktop and user interface.
Settings
Desktop and Explorer
Remove Windows Welcome
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to remove the initial Welcome to Windows
dialog box that appears when a user logs on to a computer for the
first time. Clear this check box to display the Welcome dialog box to
new users. Gray the check box to leave the client’s setting
untouched.
The default for this option is cleared.
312
Reference
Remove IntelliMouse Tips
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to remove the Microsoft IntelliMouse tips
dialog box that appears when a user logs on to a computer for the
first time. Clear this check box to display the Tips dialog box to new
users. Gray the check box to leave the client’s setting untouched.
The default for this option is cleared.
Remove Shortcut to Prefix
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to remove the text Shortcut to when a new
desktop shortcut is created. Clear this check box to include the
Shortcut to prefix when creating new desktop shortcuts. Gray the
check box to leave the client’s setting untouched.
The default for this option is cleared.
Remove Find Fast Startup
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to remove the Find Fast shortcut from the
Startup folder. Clear this check box to leave the Find Fast shortcut
in the Startup folder untouched. Gray the check box to leave the
client’s setting untouched.
The default for this option is cleared.
The Find Fast shortcut is created in the Startup folder, by default,
with a complete installation of Microsoft Office. This utility builds
indexes to documents and is stored on the local drive of the
computer. It is used to speed up finding documents from any Office
Open dialog box. In most networked environments, there is no need
to index the documents on local hard drives since they are typically
stored on network shares. If this utility is installed on an NT Server
or Terminal Server, the network administrator will notice that the
indexer is very CPU and disk-intensive. It may actually disconnect
users connected to the server.
Enabling this option (to remove the shortcut) will not automatically
delete the indexes that Find Fast may have already created,
however it will prevent the excessive CPU utilization and disk
activity that is caused by the execution of the Find Fast utility.
313
Administrator's Guide
Remove MSN Desktop Icon
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to remove the MSN icon from the Windows
95/98 desktop. Clear this check box to leave this default icon on the
desktop. Gray the check box to leave the client’s setting untouched.
The default for this option is cleared. This desktop icon gets created
with new installations of the Windows 95/98 operating system.
Remove Online Services Desktop Folder
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to remove the Online Services desktop folder
from the Windows 95/98 desktop*. Clear this check box to leave
this default folder on the desktop. Gray the check box to leave the
client’s setting untouched.
The default for this option is cleared. This folder gets created with
new installations of the Windows 95/98 operating system.
Remove My Documents Desktop Icon (User's Folder in Vista)*
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to remove the My Documents icon from the
Windows desktop (User's Folder in Vista). Clear this check box to
leave this default icon on the desktop (User's Folder in Vista). Gray
the check box to leave the client’s setting untouched (User's Folder
in Vista).
The default for this option is cleared. This desktop icon gets created
with new installations of the Windows 95/98 operating system*.
Note: If the My Documents Desktop Icon (User's Folder in
Vista) has previously been removed from the Windows
desktop, unchecking this box will not re-create the icon.
turn on the Num Locks key. Clear this check box to turn off the
Num Locks key. Gray the check box to leave the Num Locks key in
its current state.
314
Reference
Context Menu
Enable Command Prompt Here (not on Term Serv Client)
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to have the Command Prompt Here shortcut
on the context (shortcut) menu when in Windows Explorer. The
Command Prompt Here shortcut opens a DOS command window
defaulting to the directory that is clicked on in Explorer.
Enable Remote Control shell extension (not on Term Serv
Client) (not available in Desktop Authority Express)
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to have a Remote Management shortcut on
the context (shortcut) menu when in Windows explorer. The Remote
Management shortcut provides the ability to jump directly to a
Remote Management session on the workstation.
The default value for this setting is or grayed (preserve client
.
setting)
Keyboard
Enable Num Lock on Boot
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
. Select this check box to
Wallpaper file
Specify a bitmap file (.BMP) to use as wallpaper on all client
desktops. The location of the image file may be specified in the form
to locate the image
of a path, mapped drive or UNC. Press
file. Desktop Authority’s dynamic variable selection is available for
this field by pressing the F2 key. If specifying a UNC, the location
and filename should be specified in the form of
\\server\share\filename.bmp.
During the logon process the specified image is copied from the
specified location to the client's %Windir% folder.
315
Administrator's Guide
Leaving this field empty will allow all clients to select their own
preferred wallpaper image.
Enter the word clear within parentheses ( ) to disable all clients
from using wallpaper.
Example:
•
Specify \\myserver\myshare\mylogo.bmp to use a custom
logo image file.
•
Specify $windir\setup.bmp to use Windows’ setup.bmp as
the custom image file.
•
Specify (clear) to disable client’s wallpaper
Registered Owner (not on Servers)
Enter a Registered Owner name to override the setting that was
used during the install of the operating system. Desktop Authority’s
dynamic variable selection is available for this field by pressing the
F2 key.
Example:
•
Specify $FullName
Mary Jones
Registered Company (not on Servers)
Enter a Registered Company name to override the setting that was
used during the install of the operating system. Desktop Authority’s
dynamic variable selection is available for this field by pressing the
F2 key.
Example:
•
Specify ABC Incorporated
It is recommended to use static text instead of dynamic
variables or macros when Desktop Authority is used on a multiuser environment such as Terminal Server and/or Citrix
MetaFrame.
Rename "My Computer" to (not on Servers)
Enter a name to use for the MyComputer desktop shortcut. This will
override the operating system’s default setting. Desktop Authority’s
dynamic variable selection is available for this field by pressing the
F2 key.
Example:
•
Specify $userid ($wksta)
mjones(PC-111)
This setting has no effect on Terminal Server or Citrix
Server sessions.
316
Reference
Rename "Network Neighborhood" to (not on Servers) Not
available for Vista desktops
Enter a name to use for the Network Neighborhood desktop
shortcut. This will override the operating system’s default setting.
Desktop Authority’s dynamic variable selection is available for this
field by pressing the F2 key.
Example:
•
Specify $Domain
ABC
This setting has no effect on Terminal Server or Citrix
Server sessions.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
*Windows 95, 98, Me and NT4 clients are no longer supported.
317
Administrator's Guide
DRIVE MAPPINGS
The Drive Mappings object configures network drive mappings. Drive
Mappings redirect a local resource (drive letter) to a shared network
resource (hard drive or folder on the network). Using mapped drives to
access server-based information provides administrators with the
ability to make changes faster and more transparently than using
straight UNCs on each client.
For example, the Groups share is where all users store shared
departmental documents and is mapped to drive G: on server1. If
Server1 begins to run low on disk space, simply stop sharing the
Groups folder on Server1 and move the Groups folder structure to
Server2 (where there is plenty of free disk space). Change the share
to the Groups folder on Server2. Now simply change Desktop
Authority’s mapping for the G drive to the Groups share on Server2. A
trip to each desktop is saved because the client applications did not
need to be changed — they still reference the folder structure as drive
letter G:.
318
Reference
Settings
Letter
Click the Letter arrow to select a drive letter to map. A valid drive
letter may also be entered into the field. Valid drive letters are any
single letter from A to Z. The drive letter entered can be uppercase
or lowercase. All lowercase letters will be converted to uppercase
when the dialog box is saved.
If the network incorporates Windows 9x clients, do not use Desktop
Authority to map drive Z: to a network share. Windows 9x, upon
domain authentication, temporarily maps drive Z: to the
authenticating server’s NETLOGON share. Drive Z: remains mapped
until the completion of the logon script. If you attempt to map drive
Z: using Desktop Authority, the pointers Desktop Authority
maintains to the NETLOGON share will be broken and the script may
not complete successfully, or may execute twice.
Path
Enter the folder location that the selected drive letter will be
mapped to. The folder location should be specified in the form of a
to navigate to
proper UNC, \\server\share. Optionally, click
the network share. Desktop Authority’s dynamic variable selection is
available for this field by pressing the F2 key.
Deep drive mapping is not supported on Windows 9x clients.
Windows NT 4.0 clients will only support deep drive mappings if the
Dfs client component is installed. Deep drive mappings are fully
supported on Windows 2000 or higher.
Mapping drive H: to all users's home directories can be done in a
single entry in the Drives list. This is done by using dynamic
variables. Use \\$HomeServer\$HomeDir or
\\$HomeServer\$HomeDir$$ (hidden share) as the path. At logon
time, the dynamic variables are substituted by the correct values
based on the user logging on to the network.
When mapping to a hidden share there must be two trailing dollar
and browsing
signs ($$) following the share name. By clicking
out to select the share, Desktop Authority will automatically place
the extra trailing dollar sign. If the share is manually typed into the
Path entry, the extra dollar sign must manually be entered.
To hide a local drive, leave the Path entry blank. The drive specified
in the Letter entry will be hidden from Windows Explorer and My
Computer.
319
Administrator's Guide
Delete (appends /DELETE to path)
Select this box to remove a persistent drive mapping from a
workstation. This will append the text /DELETE following the path.
/DELETE may also be manually typed in to the Path entry following
the specific path. This will remove any persistent drive mappings to
the drive letter specified in the Letter entry.
The /DELETE option does not need to be used prior to mapping a
drive. Desktop Authority will automatically remove the persistent
drive mapping on the workstation if it is in conflict with the driver
letter to be mapped.
Persistent (appends /PERSISTENT to path)
Select this box to make a drive mapping persistent. This will append
the text /PERSISTENT in the Path entry. /PERSISTENT may also be
manually typed in to the Path entry following the specific path. The
drive will later be mapped each time the user logs onto the network,
even if Desktop Authority is not running.
Hide from Windows Explorer
Select this check box to hide the mapped drive letter. Hiding a drive
hides it from Windows Explorer and My Computer. Although the
drive is hidden, it is still available for applications to use.
Hiding a drive from Windows Explorer is often beneficial in
protecting your programs and data from accidental deletion or
misuse. A good example would include a standard database
application. Users need NTFS Full Control of the folder and files to
effectively use the database, but don't need to actually see the
folder when using Windows Explorer. In this example, there would
most likely be a hidden the share also. Adding a trailing dollar sign
($) to the share name when sharing the folder would prevent this
share from being visible.
Explorer Label (2000 and newer)
Use this label to change the default drive label (name) as shown in
Explorer. This label is only available on Microsoft 2000 operating
systems and newer.
If this drive fails to map
Select Continue, Alert and Continue, or Alert and Logoff from the
list. The selected action will occur if there is a problem when
attempting to map to the specified drive. The Alert and Continue
action will issue the Error mapping drive alert. The Alert and Logoff
action will issue the Error mapping mandatory drive alert.
320
Reference
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
321
Administrator's Guide
ENVIRONMENT
The Environment object allows environment variables to be centrally
configured on the client using static text, Desktop Authority dynamic
variables or KiXtart macros.
Settings
Variable
Enter the environment variable to be defined.
String
Enter the data to be assigned to the environment variable. This can
be static text, a Desktop Authority dynamic variable (F2) or a
KiXtart macro.
Example:
Variable [ User ]
String [ $FullName ]
Desktop Authority includes a dynamic variable called
$Initials. This variable is set by reading the user’s
Description field from User Manager for Domains. If a pound
symbol (#) appears anywhere in the field, the following 3
characters are returned as $Initials. For example, if the
user’s Description field is set to [Chief Technology Officer
#JJS ], the value of the $Initials becomes JJS.
322
Reference
Create user variable
Select this option to set an environment variable for the currently
logged on user. User Environment variables may differ depending on
the user logged on.
Create system variable
Select this option to set a system environment variable. System
Environment variables are the same for all users who log on to the
workstation.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
323
Administrator's Guide
FILE OPERATIONS
The File Operations object provides the ability to Copy, Delete, Move,
Rename files and folders as well as to Create Folders. File Operations
support Local, Mapped and network drive paths as well as a generous
portion of operation options.
Settings
Operation
Select Copy, Move/Rename, Delete or Create Folder from the
Operation list to specify the action to execute on the specified files.
Source Folder
Specify the folder on which the selected Operation will act upon.
Source Files
Specify the files on which the selected Operation will act upon.
Destination Folder
For Copy, Move/Rename or Create Folder operations, specify the
folder to be used as the destination for the selected Operation.
324
Reference
Destination Files
For Copy or Move/Rename operations, specify the file names to be
used for the destination of the selected Operation.
Include subdirectories
Select this check box to include all subdirectories of the Source
Folder in the selected Operation. Clear this check box to exclude all
Source Folder subdirectories in the selected Operation.
Continue on error
Select this check box to continue performing the selected Operation
regardless of any errors that occur during the execution of the
action. Clear this check box to stop the selected Operation if an
error occurs.
Include hidden/system files
Select this check box to include all hidden and system files in the
selected Operation. Clear this check box to ignore all hidden and
system files in the selected Operation.
Only files
Select this check box to enable extra File Operation options. When
enabled, select changed before, changed after, changed between,
changed on and older than from the list.
•
changed before
Select changed before, for the selected operation to act on all
files last modified prior to the specified date.
•
changed after
Select changed after, for the selected operation to act on all
files last modified after the specified date.
•
changed between
Select changed between, for the selected operation to act on all
files last modified between (and including) the specified dates.
•
changed on
Select changed on, for the selected operation to act on all files
last modified on the specified date.
•
older than
Select older than, for the selected operation to act on all files
older than the specified number of days.
325
Administrator's Guide
•
last accessed before
Select last accessed before, for the selected operation to act on
all files that were last accessed before the specified date.
•
last accessed after
Select last accessed after, for the selected operation to act on
all files that were last accessed after the specified date.
•
last accessed between
Select last accessed between, for the selected operation to act
on all files that were last accessed between the specified dates.
•
last accessed on
Select last accessed on, for the selected operation to act on all
files that were last accessed on the specified date.
•
last accessed more than X days
Select last accessed more than X days, for the selected
operation to act on all files that were last accessed more than
the specified number of days ago.
Overwrite/Delete read-only files
Select this check box for the selected operation to overwrite or
delete read-only files. Clear this check box for the selected operation
to ignore all read-only files.
Overwrite existing files
For Copy or Move/Rename operations, select this check box for the
operation to overwrite existing files. Clear the check box for the
operation to ignore existing files.
Overwrite older files
For Copy or Move/Rename operations, select this check box for the
operation to overwrite existing files if the destination file is older
than the source file. Clear the check box for the overwrite operation
to ignore overwriting destination files that are older than the source
files.
Perform copy/move/delete asynchronously
Select this box to perform the selected operation asynchronously. In
asynchronous mode, the File Operations element will execute at the
same time as other File Operations elements. If this check box is
cleared, applications will run sequentially one after another. Each
application must complete before the next one will begin.
326
Reference
Redirect to 32 bit folder on 64 bit OS's
Select this box to force the operation to copy files to the
corresponding 32-bit folder, when performing the operation on 64bit operating systems.
Wipe disk area to DoD 3 spec
For Move/Rename and Delete operations, select this check box to
securely remove files/folders from the specified source using the
DoD 3 specification.
Possible File Operations
Source
Folder
Source
File
Destination
Folder
Destination
File
Operation
X
X
(nonexisting)
Rename
folder
X
X
(existing)
Move
folder
X
Single
X
Move file
to different
folder
X
Multiple
X
Move files
to different
folder
X
Single
X
Single
Rename
file
X
Multiple
X
Single
Not
supported
X
Single
X
Multiple
Not
Supported
X
Multiple
X
Multiple
Not
supported
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
327
Administrator's Guide
FOLDER REDIRECTION
The Folder Redirection object provides the ability to change the
Windows default location for specialized folders known as Shell
Folders. Shell folders are folders that are specific to each user. They
include the Cookies, Desktop, Favorites (IE Bookmarks), History, My
Pictures, Personal (My Documents), Recent, Temporary Internet Files,
Send To, Start Menu, Programs Group and the Startup Group.
By default, the Windows NT operating system locates shell folders in
the user’s profile folder (C:\WinNT\Profiles\profilename\). Windows
2000 and newer also locates shell folders under the user’s profile,
however the location of user profiles has been changed to
C:\Documents and Settings\profilename\. Windows 9x stores shell
folders under the C:\Windows\ folder, unless individual user profiles
have been enabled using the Control Panel. If individual user profiles
have been enabled, Windows 9x creates separate folder structures,
similar to the default user profile structure found in Windows NT.
By defaulting the location of these folders to a network share (or
mapped drive), rather than the local computer’s own hard drive, users
are allowed to access their own desktop, bookmarks, recent document
list, application settings, etc., regardless of the computer they log on
to. This also enables the profile to be secured and backed up nightly.
In addition to user-specific shell folders, Windows
NT/2000/XP/2003/Vista/2008 also includes a common set of shell
folders that is available to all users of the computer. This common set
of shell folders is often referred to as the "All Users" profile. NT
Common Shell Folders can be redirected by Desktop Authority using
the Common Folder Redirection object.
328
Reference
Settings
Shell Folder
Select a shell folder from the Shell Folder list.
Redirect to Folder
Specify a folder that the shell folder should be redirected to. The
folder designation may be in the form of a path, mapped drive or
to navigate to the path. Desktop Authority’s dynamic
UNC. Click
variable selection is available for this field by pressing the F2 key.
Reset to Default
Select this check box to restore the redirected folder to the
operating system’s default location.
Copy any files that exist in the original folder
Select this check box to copy files from the current folder to the
redirected folder when it is redirected.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
329
Administrator's Guide
GENERAL
The General object provides several miscellaneous settings including
settings to purge the client TEMP files, password expiration warnings
and others.
Settings
Purge client %TEMP%\
Wednesday of every month
files on the first
%TEMP% is an environment variable that defines the location of the
Windows’ temporary files folder. Desktop Authority can easily
control the purging of this folder in order to keep the client’s
machine free of extraneous, unused files. The user will never have
to remember (or forget, as is usually the case) to manually purge
this folder.
Purging is completed on the first Wednesday of each month.
Select Never from the list to disable the automatic purging of files
in the %TEMP% folder.
Select Prompt from the list to let the user decide whether to purge
the %TEMP% folder.
Select Always from the list to purge the %TEMP% folder on the
first Wednesday of each month.
330
Reference
Specify the file(s) to purge from the %temp% folder. Use wildcards
to specify multiple files. A subfolder may also be specified.
The defaults for purging are [Never] purge and [*.tmp] files.
Warn user
days before network password will expire
Enter a numeric value (number of days) to enable a warning to the
client when their password is about to expire. The warning will give
the user an advanced reminder the specified number of days before
the password will expire. If no number is entered, the warning is
disabled.
Warn user if less than
MB are free on system drive
Enter a numeric value (number of megabytes) to enable a warning
to the client if disk space falls below the specified size. If no number
is entered, the warning is disabled.
Don't Display Last User Name
Use this setting to clear or set the previous user’s logon name.
Set this check box to one of three (3) different states: on (enabled)
, off (disabled)
, or grayed (preserve client setting)
. Select
this check box to clear the logon name of the previous user of the
computer. The user name entry will be blank on the logon dialog
box the next time a user logs onto the computer. Clear the check
box to display the previous user’s name. The user name will be
shown in the logon dialog box each time a user logs on to the
computer. Gray the check box to disable Desktop Authority’s control
of the user name.
Limit concurrent logons by monitoring the share mapped using
drive
This option provides a mechanism by which the number of
concurrent logons by a single user can be limited. Implementation of
this feature requires a combined effort between Desktop Authority
and the domain’s servers where the shares reside.
Once configured, Desktop Authority, will immediately log off any
user that attempts to concurrently log on more sessions than they
are allowed.
331
Administrator's Guide
Disconnect all existing network drives before mapping new
ones
Select this check box to forcibly disconnect all existing network drive
mappings before Desktop Authority drive mapping elements are
executed. If Desktop Authority is executed and this check box is not
selected, any persistent connections that the client may have
defined for the same drive letter to be mapped by Desktop Authority
will be overridden. Desktop Authority will not automatically remove
all persistent connections on each client (unless this check box is
selected) — only the ones that conflict with the mappings being
applied by Desktop Authority during the logon process.
Disconnect all existing network printers before connecting new
ones
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
. Select this check box to forcibly remove all existing network
printer mappings from the client before Desktop Authority printer
mapping elements are executed. Clear this check box to leave the
computers existing printer mappings as is. Gray the check box to
leave the printer mappings set to what they have already been
validated for.
Disconnect all existing IP printers before connecting new ones
(excludes server operating systems)
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
. Select this check box to forcibly remove all existing IP printer
mappings from the client before Desktop Authority printer mapping
elements are executed. Clear this check box to leave the computers
existing printer mappings as is. Gray the check box to leave the
printer mappings set to what they have already been validated for.
IP printers on servers will not be disconnected by this option.
Disable Office Assistant
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
. Select this check box to disable "Clippy", the annoying Office
Assistant. Clear this check box to enable the office assistant. Gray
this check box to preserve the user’s current profile setting.
Remove IE Tour
Select this check box to remove the Internet Explorer Take a Tour
splash screen. Once removed, it can not be reactivated by Desktop
Authority.
332
Reference
Remove Internet Connection Wizard
Select this check box to remove the Internet Connection Wizard and
prevent it from launching the first time each user of the computer
attempts to launch Internet Explorer. Once the Internet Connection
Wizard is removed, it can not be reactivated (added back to the
desktop) by Desktop Authority.
Clear all existing security policies first
Select this check box if you are using Desktop Authority's Security
Policies only. This setting instructs Desktop Authority to remove all
existing security policies prior to applying new ones. Removing a
security policy removes the setting from the registry which in effect
disables the policy from being applied to the workstation.
Clear this check box if you are using Microsoft’s Policies in
combination with Desktop Authority's Security Policies. Microsoft’s
Group Policies are applied to the computer before the logon script
executes, this option will ensure that Desktop Authority does not
"clear" the existing Microsoft Policies.
Graying this check box acts exactly as if the check box is cleared
unless there are other elements that either Select or Clear this
option. If there are other elements with a selected or cleared check
box, this option will be ignored. The last setting processed, either
selected or cleared will take precedence over all other settings.
Set local admin password (clear to leave the same)
Click Set to define a local admin password for clients that this
element validates for. After entering the local admin password, click
OK. The password will be encrypted for display purposes in the
Manager. Click Clear to remove the local admin password from the
element.
Do not show desktop agent icon in system tray
This check box can be set to one of three (3) different states: on
, hide the Desktop Agent icon in the system tray, off
(enabled),
(disabled),
, show the Desktop Agent icon in the system tray, or
grayed,
, preserve Global Desktop Agent setting.
Always restart computer, even if shut down is selected
(Desktops only, excludes Vista and 64 bit platforms)
This check box can be set to one of three (3) different states: on
, force the computer to Restart even if a Shut down
(enabled),
was selected, off (disabled)
, allow the computer to shut down if
requested, or grayed,
, preserve Global Desktop Agent setting.
This option comes in handy when installing service packs or other
applications that may need to complete after the system restarts.
Using this option sets the Agent to automatically launch regardless
of any logoff/shut down events.
333
Administrator's Guide
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
334
Reference
GROUP POLICY TEMPLATES
Overview
Administrative Template files are used by the Group Policy Templates
object to describe security policy settings and where they are stored in
the registry. Administrative templates include a policy category, policy
options and registry settings for each policy contained within the
template. Group Policies are rules that administrators can employ to
enforce a specific desktop environment. Policies can apply to the entire
domain or an individual computer or user. They are made up of a
combination of one or more Registry keys.
There are several standard administrative templates that are installed
with Windows 2000, XP, 2003 and Vista. Additional Administrative
templates are available in several of Microsoft's Resource kits, service
packs and the Microsoft Download center. Templates can also be
created from scratch or customized to meet specific needs. Custom
templates are also available online for download from various sources.
Although Microsoft has its own built-in Group Policy editor, Desktop
Authority lets you use existing Administrative templates providing a
simpler interface for configuring the Group Policies contained within
them. Using Desktop Authority's patented Validation Logic allows a
policy to be configured to a granular level including OS, Class,
Connection Type and more.
All Group Policies that are a part of the selected ADM/ADMX templates
will be displayed within their defined categories in the Administrative
Templates tree on the Settings tab. ADM Templates are displayed in
the Classic Administrative Templates tree and are valid for operating
systems prior to Microsoft Windows Vista. ADMX Templates are used
by Microsoft Windows Vista operating system and above. ADMX
Templates are displayed in the Administrative Templates tree. Select a
Policy category from the template tree. Once selected, the Policies
within the category will be displayed in the Policy list to the right of the
tree. Once the policy to be configured is selected, the Policy Setting
and Explanation will be displayed.
Configure the Policy on the Policy Setting tab. Once configured, click
Apply Changes to accept the changes for the current Group Policy
element. Click Discard changes to undo the latest changes. Review a
description on the Policy Explanation tab. To save the Group Policy
toolbar button.
element, click the
335
Administrator's Guide
Settings
Administrative Template Trees
The Classic Administrative Templates tree displays the categories for
all policies within the selected ADM template files. Policies within the
ADMX template files are shown in the Administrative Template tree.
Each category displays the policies available for configuration in a list
to the right of the category.
Click [Hide Unused] to hide policies in the list that are not yet configured.
If policies are hidden, click [Show Unused] to display all policies,
configured or not.
336
Reference
Policy List
The Policy list displays all policies for the category selected
in the Administrative Template tree. Click on a policy to
select it. The policy is configured on the Policy Setting tab.
Policy Setting
The Policy Setting tab is where each Policy is configured.
The setting is displayed along with its configuration state
and options. Once the policy's options are set, click Apply
Changes to accept the changes for the current Group Policy
element. Click Discard Changes to undo the most recent
changes.
Policy Explanation
The Policy Explanation tab provides a complete description
of the policy and its settings.
Apply Changes
Click Apply Changes to accept the changes for the current
Group Policy element.
Discard Changes
Click Discard Changes to undo the most recent changes.
Previous Policy
Click Previous Policy to load the previous policy in the list.
Next Policy
Click Next Policy to load the next policy in the list.
Show Registry Settings
Select Show Registry Settings to display the actual registry
key and value that will be configured for the selected Policy.
337
Administrator's Guide
Add/Remove ADM Files
Desktop Authority's Group Policy Templates object provides the
ability to import Classic Administrative templates and deploy the policy
settings contained within them.
Once a Group Policy Template element is added to the configuration
list, administrative template settings can be configured. This requires
that Administrative templates be imported into the system. By default,
the Operations Master's %windir%\inf folder is scanned for existing
ADM files. All ADM files that are found are imported into Desktop
Authority and copied to the Group Policy folder. By default,
CONF.ADM, INETRES.ADM, and SYSTEM.ADM are selected for use in
the Group Policy element.
To add a new ADM template to the list, click Import Template Files.
Browse to the ADM template file and select it. Click Open to confirm
the selection. The template file will be automatically be imported and
added to the list. All policies within the template file are immediately
available for use in an Group Policy Templates element.
Select the template file(s) that will be used with this Group Policy
Templates element ( ). Once template files have been selected, select
the Settings tab.
338
Reference
Add/Remove ADMX Files
Desktop Authority's Group Policy Templates object also provides
support to import ADMX Administrative templates and deploy the
policy settings contained within them.
An ADMX Administrative template consists of an ADMX file and its
associated resource file (ADML). In order for DA to import the
template, the ADML file must be available in a folder just below the
ADMX file. If available, both the ADMX and its resource file will be
copied to the specified ADMX file location. If this file is not available,
an error will be displayed during the import. Administrative template
files may also be manually copied to the location to be used by DA.
The ADML file must also be manually copied to the proper resource
folder. It must be available to the system or the template will not
work.
Once a Group Policy Template element is added to the configuration
list, administrative template settings can be configured. This requires
that Administrative templates be imported into the system.
339
Administrator's Guide
Admx File Location
The Admx File Location defines where Desktop Authority will hold
the ADMX file to be used by the system. Upon import, the system
makes a copy of the file and places it in the selected file location.
Select Use default location, to use the DA default path for ADMX
files. This path is %program files%/ScriptLogic
Manager/TeamplateFiles. To select another path, choose Global
Location. The Global Location path is set on the Global Settings
dialog.
To add a new ADMX template to the list, click Import Template Files.
Browse to the ADMX template file and select it. Click Open to confirm
the selection. The template file will be automatically be imported and
added to the list. All policies within the template file are immediately
available for use in an Group Policy Templates element. Select the
template file(s) that will be used with this Group Policy Templates
element ( ). Once template files have been selected, select the
Settings tab.
Note: In order to import an administrative template to the
system's Global location, the user must have WRITE
permissions to the folder.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
340
Reference
INACTIVITY
The Inactivity object allows automatic Logoff, Shut down, Restart, or
Locking of a computer based on a period of inactivity occurring within
a specified period of time. Inactivity detection time is set in half-hour
increments. Inactivity settings are particularly useful in situations
where you need users to logoff at the end of the day so appropriate
updates are applied to all machines at logoff or the next logon. The
Inactivity option of locking a computer when inactive is supported on
2000, XP, 2003 and Vista operating systems only.
To select or clear an inactivity period, highlight a range of cells in the
inactivity grid. Press Don't Monitor Inactivity to clear the cells.
Press Monitor Inactivity to select the cells. To select an entire day,
click the day of the week label to the left of the grid. To select a
specific half-hour increment for every day of the week, click the hour
label above the grid.
341
Administrator's Guide
Multiple inactivity settings are supported per computer, if and only if,
there are no overlapping inactivity monitoring times. If any part of the
detection hours overlap between elements, only the first element will
be processed.
For example, if element 1 is monitoring for inactivity between the
hours of 5:00am - 7:30pm and element 2 is monitoring for inactivity
between the hours of 6:00am - 5:30pm, there is a period of time
between 6:00am and 5:30pm which are contained in both elements.
In this case, only element 1 would be processed on each applicable
client.
Settings
Detection hours
Don't Monitor Inactivity
Click Don't Monitor Inactivity to set the selected period of time as
unmonitored time.
Monitor Inactivity
Click Monitor Inactivity to set the selected period of time as
monitored time. Monitored time periods will display as colored
blocks.
Duration of inactivity before action (in minutes)
Specify a period of time in minutes for which the computer must be
inactive before the Action takes place. A computer is considered
inactive based on any keyboard and mouse activity.
User Warning
Warning to display
Prior to the selected Action (Logoff, Always Shutdown, Shutdown,
Restart, Standby, Hibernate, Lock) occurrence, a warning dialog will
be displayed for a specified number of minutes. If the warning
dialog is responded to, the Action will not take place. Once the
warning box is displayed, keyboard and/or mouse activity will not
abandon the desired action. The warning box must be responded to
in order to cancel the Action.
Sound to play
Specify a sound file (.WAV) to play when the inactivity warning is
displayed.
Duration of warning (in minutes)
Specify the number of minutes to display the warning dialog on the
inactive computer.
342
Reference
Action
Select Logoff, Shutdown, Always Shutdown, Hibernate, Standby,
Restart or Lock from the Action list. This action will occur if the
computer is considered inactive for the elapsed time specified.
Logoff — When the computer is considered inactive, log the user
off.
Shutdown — When the computer is considered inactive, Shutdown
the system only if there are no users logged in.
Always Shutdown — When the computer is considered inactive,
Shutdown the system regardless if any users are logged in.
Hibernate — When the computer is considered inactive, put the
system in Hibernation mode. In order for a computer to go into
Hibernation, Hibernation mode must be enabled in the computer
Power settings. If Hibernation is not enabled on the computer,
selecting this option will put the computer in StandBy mode.
Hibernate mode will turn the monitor, stop the disk drives and save
the current computer state into memory. The computer will then be
turned off. When the computer is restarted it will return back to the
state where you left it.
Standby — When the computer is considered inactive, put the
system in Standby mode. Standby will turn off the monitor, stop the
disk drives and save the current computer state into memory. At the
touch of the mouse or keyboard your computer will wake up, and
return to the state where you left it. In Standby mode, the computer
is put into a low power state.
Restart — When the computer is considered inactive, Restart the
system.
Lock — When the computer is considered inactive, Lock the system.
Desktop user can delay inactivity for a maximum of xx hours
There are some cases when the computer may seem to be
inactive but is actually in use. For example, the computer
may be running a video or a large procedure that does not
require user interaction. To give the user the opportunity to
delay the inactivity action for a period of time, specify the
number of hours inactivity may be delayed for. The
maximum number of hours inactivity can be delayed for is
24. The delay option is available for Logoff, Always
Shutdown, Restart, Standby, Hibernate or Lock actions.
Refer to the Desktop Agent section for details on how the
user can delay the inactivity detection.
343
Administrator's Guide
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
344
Reference
INI FILES
INI Files provide a means of configuration to many programs. The INI
Files object provides a single point of control over changing values in
an INI configuration file.
Settings
Action
Select an action from the Action list to define how the INI file is to
be updated. INI files can be updated by adding or deleting a
Section, and/or adding or deleting a Value or Data/Expression within
a specific section.
Available actions are:
•
Write Value
Store the data/expression along with the specified Value to
the INI File’s section. If the Section does not exist it will
also be created. If the Value does not exist in the INI file, it
will be created in the specified section.
•
Delete Value
Remove the specified value from the specified section in the
INI file.
•
Delete Section
Delete the specified section in the INI file. If the Section
already exists, it will be removed.
345
Administrator's Guide
Filespec
Enter the name of the INI file to be updated. If no path is specified,
Windows will try to locate the file in the Windows directory.
Section
Enter the name of the section that will be updated. If the Section
does not exist in the INI file, it will be created. Section names are
not case-sensitive, therefore, "ThisSection" is equivalent to
"thissection".
Value
Enter the name of the value that will be updated in the INI file. If
the Value does not exist in the specified section, it will be created.
Value is not applicable when the Action is set to Delete Section.
Data / Expression
Enter the data you would like stored in the specified Value. Data is
not applicable when the Action is set to Delete Section or Delete
Value.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
346
Reference
INTERNET EXPLORER SETTINGS
The Internet Explorer Settings object provides the ability to configure
Internet Explorer. Settings such as the Start Page, Search Page,
Download Directory, and Proxy Server information.
Settings
Start Page
Enter a valid HTML start page for Internet Explorer. Specifying a
start page forces all employees to view a common page each time
they load Internet Explorer. A good use for the start page is the
corporate web site or Intranet.
Leaving this field blank will allow your users to select and set a start
page of their own choice.
Search Page (IE v6 and below)
If you have created your own search page, or would like your users
to use a specific search engine, enter the URL in this field.
If this field is left blank, your users will be able to select and retain
the search page of their choice.
347
Administrator's Guide
Download Dir
Specify a default path that all file downloads should be redirected to.
The path may be in the form of a physical path, mapped drive or
to navigate to the path. Desktop Authority's dynamic
UNC. Click
variable selection is available for this field by pressing the F2 key.
Use a proxy server
Select this check box to enable a proxy server for an Internet
connection. Clear this check box if a proxy server is not used.
Address
Enter the name or TCP/IP address or host name of your network’s
proxy server.
Example:
192.168.100.205
If your organization has different proxy servers for different
protocols, you may use the Address field for all applications. Create
a single string in the Address field and leave the Port field blank.
Example:
http=10.0.0.5:80;https=10.0.0.7:443;ftp=10.0.0.9:21
Port
Enter the TCP/IP port number of your network’s proxy server.
Bypass proxy server for local addresses
Select this check box to ignore the proxy server for local addresses.
Clear this check box to use the proxy server for all Internet
addresses.
Do not use proxy server for addresses beginning with:
Specify Internet addresses that should not use a proxy server.
Multiple addresses can be specified and should be separated by a
semicolon (;). An asterisk (*) may be used as a wildcard.
Example:
www.*.com; 192.*; 192.168.*
Address of automatic configuration script:
Type an address (URL) or file name that will be used to configure
the proxy settings for Internet Explorer. Leave this field blank if you
do not use a configuration script file.
348
Reference
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
349
Administrator's Guide
LEGAL NOTICE
The Legal Notice object allows a company-wide logon banner or
notice to be centrally configured. This notice must be acknowledged by
pressing the Ok button. The legal notice is displayed on the client prior
to actually logging on to the domain. The Legal Notice differs from
Message Boxes, in that it is displayed before the user authenticates to
the domain. This provides a way for the company to spell out or
remind staff of company policies regarding use of the computer
network, email, Internet access, etc.
Since displaying a legal notice would interfere with the
automatic logon process, the Legal Notice will NOT be applied
to any NT/2000XP/2003/Vista/2008 computer if the computer
has AutoAdminLogon enabled.
Settings
Clear Legal Notice
Select this check box to temporarily disable the Legal Notice from
displaying on your clients. Clear this check box to configure a legal
notice.
Window Title
Enter a caption for the window frame in which the message text will
be displayed. Static text or Desktop Authority Dynamic Variables
can be used to configure the window title.
Example:
WARNING: Use of this computer is restricted and monitored!
350
Reference
Message
Enter the actual message text that will be displayed in the Legal
Notice window.
Example:
Information contained within this computer system may be protected by the Privacy Act of 1974.
All output, both visual and printed, must be marked appropriately and all precautions taken to
prevent unauthorized use or disclosure. Do not discuss, enter, transfer, process, or transmit
classified/sensitive national security information of greater sensitivity than that for which this
system is authorized. This system is approved for SENSITIVE but UNCLASSIFIED information
only. This is a Department of Defense (DoD) computer system. This computer system, including
all related equipment, networks and network devices (specifically including Internet access), are
provided only for authorized U.S. Government use. DoD computer systems may be monitored for
all lawful purposes, including to ensure that their use is authorized, for management of the
system, to facilitate protection against unauthorized access, and to verify security procedures,
survivability and operational security. Monitoring includes active attacks by authorized DoD
entities to test or verify the security of this system. During monitoring, information may be
examined, recorded, copied and used for authorized purposes. All information, including personal
information, placed on or sent over this system may be monitored. Use of this DoD computer
system, authorized or unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use
collected during monitoring may be used for administrative, criminal, or other adverse action. Use
of this system constitutes consent to monitoring for these purposes.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
351
Administrator's Guide
LOGGING
The Logging object maintains log files used to track information about
users logging onto the network and the computer they are logging on
from. Several customized fields of information may be stored in the log
file. The first 17 fields are automatically configured by default. They
may be changed, deleted, or added to, to meet specific needs.
Log files are Comma Separated Value (.CSV) formatted files. These
files may be viewed by clicking View Logs. These files may also be
viewed in any text editor, including notepad.
Log files use the profile name and current date for its file naming
convention. The file name is in the format of
ProfileName_YYYYMMDD.CSV and is stored in the LOGS$ share, by
default. A single log file is created once per day per profile and
contains all logon information for the day and profile.
Log File List
Log files can be configured with several fields of customized
information. Log file elements within the list are processed in the
order that they appear in the list.
Click Add to add a new element to the list. This will add the new
element to the end of the list.
Click Insert to add a new element to the current position in the list.
The entry is added to the list just above the highlighted element.
Click Modify to edit the existing highlighted element in the list.
Copy will duplicate the selected element. You are given the
opportunity to modify the settings at the time of the copy.
Click Delete to remove the highlighted element from the list.
Use Move Up ( ) and Move Down ( ) to reorder the elements in
the list by moving the selected element up or down.
352
Reference
The following variables are defaults in new profiles:
Variable
Description
$Date
Current date
$Time
Current time
$LogonServer
Authenticating Domain
Controller
$ConnType
Connection method
$WrkSta
Computer Name
$SiComputerType
Computer Type
$IPaddr
TCP/IP address
$SiCpuType
CPU Type
$SiCpuSpeed
CPU Speed
$SiRamMb
Physical RAM (Mb)
$SystemDrive
System Drive
$VerboseOS
Verbose Operating
System version
$OSCSDVersion
Current service pack
$HotFixes
Current Hot Fixes
$IeCurVer
Internet Explorer
version
$OfficeCurVer
Microsoft Office
version
$UserID
User ID
$FullName
User's full name
$Description
User account
Description
353
Administrator's Guide
Log File Location
Enter the location where the log files will be created or press
to
select a folder. The location may be specified in the form of a path,
mapped drive or UNC. Dynamic variables may be used as an aid in
defining the location. Press the F2 key to select a dynamic variable
from the popup list.
If specifying a UNC, the location should be specified in the form of
\\server\share\. Typically, the log file folder is a shared folder
and is stored on a Domain Controller.
The default share name (unless modified during the install) is set to
LOGS$.
Example:
\\pdcserver\LOGS$$ use LOGS$ share on pdcserver
To disable logging, clear the specified Log File Location.
View Logs...
Click View Logs... to open the Log File Viewer.
Log Entry
When modifying the log file entries, select an entry from the Log
Entry list, enter static text, and/or press F2 or the Insert Variable
button to use insert a dynamic variable. The dynamic variable
selected from the popup list is inserted into the field at the current
cursor position.
354
Reference
LOG FILE VIEWER
The Log File Viewer is used to view available log files. These files are
created and updated each time a client logs on to the network. A log
file is a Comma Separated Value (comma delimited) file and can be
viewed in any text editor or directly within Desktop Authority. A new
log file is created each day for each profile. The log file’s name is
constructed using the profile name as well as the date of the file. For
example, on April 10, 2001, profile SLP00001, the log file created will
be SPL00001_20010410.CSV.
The Log File Viewer is accessible by clicking View on the Logging
object.
Filter Available Logs To
Since there are most likely numerous log files located in the Log
share, select a Profile, Month and Year to limit the files listed in the
Available logs list.
Available Logs
This list displays all available log files from the Log share. This list is
filtered based on the Month and Year specified in the Filter Available
Logs To field. To add a log file to the Selected Logs list click Add>>
or double click on an entry.
Selected Logs
This list displays all selected log files. The selected files will be
opened in the log file viewer when View is clicked.
Add >>
Click Add>> to add the selected Available Logs file(s) to the
Selected Logs list.
Add All
Click Add All to add all Available Log files to the Selected Logs list.
<< Remove
Click <<Remove to remove the selected file(s) from the Selected
Logs list and restore them to the Available Logs list.
Remove All
Click Remove All to remove all files from the Selected Logs list and
restore them to the Available Logs list.
355
Administrator's Guide
Purge log files older than [xx] months
Desktop Authority can automatically purge log files older than xx
months. Specify the number of months in this entry. To disable the
automatic purge of log files, enter 0 in this field. Old log files are
purged when the Log File Viewer button is pressed. Once a log file is
purged, it is no longer available in the Log File Viewer list.
View
Click View to view the contents of all selected log files. The log files
are combined and displayed as one contiguous list of entries in
date/time default order. This list can be sorted by any column
specified for the log file definition. Click on a column header to sort
the entries. When viewing log files, the number of unique clients is
determined and displayed on the bottom of the View Log File dialog.
356
Reference
MICROSOFT OUTLOOK PROFILES
The Microsoft Outlook Profiles object provides the ability to
configure one or more client mail profiles. Mail profiles are part of the
Windows Messaging system and are used to define the services and
options needed to connect the Outlook client to your Microsoft
Exchange server. An administrative template can be established that
will automatically configure the most common services used by
Outlook when your clients log on to the network.
Desktop Authority will automatically create mail profiles for a user on
any computer that they log on to. With Desktop Authority performing
this necessary administrative task, a visit to each desktop will be
saved. Your users will benefit from increased productivity if they roam
to different computers — no matter which computer they log on to.
They will have access to their electronic mail instantly!
Mail Profile creation requires Internet Explorer 4.01 or greater
to be installed on the client.
Settings
If user has existing profile, do not apply the settings below
Select this check box disable the creation of profiles for users that
have existing profiles on the client they are logging in from. Clear
this check box enable the creation of mail profiles regardless of
whether there are existing profiles for the user.
On 9x machines that do not have user profiles enabled, all
profiles on the machine are scanned. If a profile is found for
the user by matching $userid or $fullname to the mailbox
name, it will be set as default for that user.
357
Administrator's Guide
Mail Profile Name
Enter the name to be used for the new profile creation. This can be
static text, a Desktop Authority dynamic variable, or a combination
of the two. Press the F2 key to select a dynamic variable.
The default value for the mail profile name is $FullName.
Exchange Server
Enter the name of the Exchange Server to which the profile will be
connected to. Type the server name into the field or click
locate and select a server.
to
Mailbox Name
Enter the name of the mailbox the user will be connected to on the
Exchange Server.
The Mailbox name must match the Display Name, Alias or
Distinguished Object name defined for the user on the Exchange
Server. To achieve this, use a dynamic variable. This may need to
be used in combination with static text.
The default for this field is $UserID, which typically matches the
user’s Display Name defined in Exchange.
Rename user's existing default profile if mail profile name is
different
If the user mail profile name is different than what is specified as
the Mailbox name, select this check box to rename the existing
profile. Leave this check box clear to keep the existing profile name.
Delete all profiles except for user's default profile
Select this check box to delete all profiles for this user except the
user's default profile.
This selection will not work on Windows 9x machines unless local
user profiles are enabled.
Delete all backup profiles created during configuration
Select this check box to remove all backup profiles.
358
Reference
Additional Mailboxes
Many times it is necessary to assign a delegate to a mailbox. A
delegate is someone who is given permission to view a mailbox
other than their own. The mailbox will be added to the delegates
profile and be visible to the user when Outlook opens. Click Add to
add a mailbox to the Mailbox list. Specify the mailbox owner's
UserName as the mailbox name. Click Delete to remove the
selected mailbox from the mailbox list.
Additional mailboxes will be assigned to any user who validates for
the configuration setting. In order for the user to have permission to
view the additional mailbox, the delegate must be granted
permission to view the nominated mailbox. Desktop Authority will
take care of adding the additional mailboxes to the delegate's
profile.
Remove mailboxes not listed here
Select this check box to remove any mailbox associated with the
mail profile that is not explicitly defined in the Desktop Authority
Mailbox list.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
359
Administrator's Guide
MESSAGE BOXES
The Message Boxes object allows you to centrally manage and
configure popup messages. This popup window is displayed on the
client during the logon process after the user is authenticated.
Message boxes can be used to notify users of scheduled downtime or
upcoming company events.
Since displaying Message Boxes could interfere with the
automatic logon process, Message Boxes will NOT be displayed
on any computer if AutoAdminLogon is enabled.
Settings
Window Title
Type in static text or press the F2 key to select a dynamic variable.
The window title is displayed at the top of the popup window.
Message
Enter the text to be displayed in the message box. Dynamic
variables can be used in conjunction with your text. Press the F2 key
to select a dynamic variable.
360
Reference
Style
Select a message box style from the Style list. Choose from
Information, Warning, or Error. Each style displays an icon to the
left of the message. The style makes use of the following icons in
the message box:
Information
Warning
Error
Timeout in Seconds (0 = no timeout)
Enter a numeric value representing the number of seconds the
message box will be displayed for. It will be displayed for this
number of seconds unless the OK button is pressed before the
timeout occurs.
Cycle
Select a time interval for which your message box will display.
Choose from Everyday, Day of Week, Monthly (Day of Week),
Monthly (Day of Month), or Specific Date.
•
Selecting Every time as the cycle, will force the Message
Box to be displayed each logon, logoff and refresh as
specified in the validation logic.
•
Selecting Day of Week as the cycle, presents a new Day of
Week list allowing the selection of a day from Sunday to
Saturday. The Message Box will be displayed on the
specified day, every week, at the selected frequency.
•
Selecting Monthly (Day of Week) as the cycle, presents a
new Day of Month list allowing the selection of a day in the
month ranging from 1st Sunday, 1st Monday, . . . to the 5th
Saturday of the month. The Message Box will be displayed
on the specified day, at the selected frequency.
•
Selecting Monthly (Day of Month) as the cycle, presents a
new Day of Month list allowing the selection of a day
number of the month. The Message Box will be displayed on
the specified day of the month, at the selected frequency.
•
Selecting Specific Date as the cycle, presents an entry to
which the specific date should be entered. Press the Date
arrow to make your date selection from any calendar day.
The Message Box will be displayed on the specific day, at
the selected frequency.
361
Administrator's Guide
Frequency
Select a logon frequency from the drop-down list. Select from Every
time, Once Per Day (User), Once Per Day (Computer), One Time
(User), One Time (Computer).
•
Select Every time to display the Message Box at the
specified cycle, every time the user logs on or off the
network.
•
Select Once Per Day (User) to display the Message Box at
the specified cycle, one time per day for the current user.
•
Select Once Per Day (Computer) to display the Message Box
at the specified cycle, one time per day for the computer.
•
Select One Time (User) to display the Message Box at the
specified cycle, a single time for the current user.
•
Select One Time (Computer) to display the Message Box at
the specified cycle, a single time for the computer.
The Message Box is displayed at the specified cycle and frequency.
UID
The UID entry is used to make each element in the Message Box
list, a unique item, regardless of the contents of the message box.
The data in this entry is automatically generated and should not be
modified. However, if an configuration element in the list is set to
run Once Per Day or One Time, and must be executed a second
time, the UID can be changed by clicking Generate New.
Test Message Box
Click the Test Message Box button to preview the popup message
dialog box. The preview is shown exactly as it will appear on the
client. The only exception to this is that dynamic variables used
anywhere in the Window Title or Message. Since dynamic variables
are evaluated at the time a user logs in, the manager is not able to
resolve this variable while configuring the message box. The
dynamic variable will be shown in place of the actual value of the
variable.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
362
Reference
MICROSOFT OFFICE SETTINGS
The Microsoft Office Settings object provides the ability to centrally
configure default file locations for Microsoft Office.
By centrally configuring the paths used by Microsoft Office, it is
ensured that user-created documents are stored to network servers
rather than locally on the user’s computer. This enables documents to
be secured, backed up nightly, and made available to the user
regardless of which computer the user logs on from.
Settings
Application/Suite
Select an application including the version from the list.
Option
Select an option from the list. The content of the list varies based on
the Application/Suite chosen.
Path
Specify a path that the selected option should be redirected to. The
path may be in the form of a path, mapped drive or UNC. Click
to navigate to the path. Optionally, press the F2 key to use a
Desktop Authority dynamic variable.
363
Administrator's Guide
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
364
Reference
MICROSOFT OUTLOOK SETTINGS
The Microsoft Outlook Settings object provides the ability to
configure several Microsoft Outlook configurations. Outlook client
settings are configured during the logon process. These settings are
reconfigured each time a user logs on to the network.
Settings
General Settings
View Outlook Bar
Select this check box,
, to display the Outlook shortcut bar upon
entry into Outlook. Clear the check box,
, to hide the Outlook
shortcut bar. Gray the check box,
, to preserve the user’s current
Outlook setting.
The Outlook Bar is available in versions of Outlook prior to
2003. This is not a feature in Outlook 2003.
View Folder List
Select this check box,
, to display the Folder list upon entry into
Outlook. Clear the check box,
, to hide the Folder list. Gray the
check box,
, to preserve the user’s current Outlook setting.
The Folder List is available in versions of Outlook prior to
2003. This is not a supported in Outlook 2003.
365
Administrator's Guide
Warn before permanently deleting items
Select this check box,
, if Outlook should warn the user before
deleting entries from the Deleted Items folder upon exit. Clear the
, to disable any warning that entries will be deleted
check box,
from the Deleted Items folder. Gray the check box,
, to preserve
the user’s current Outlook setting.
Startup in this folder
Select an Outlook folder from the list. Choose from Outlook Today,
Inbox, Calendar, Contacts, Tasks, Journal and Notes. The selected
folder is the default folder that will be opened upon Outlook startup.
Select User-defined from the list to use the folder as specified in the
clients Outlook options.
Outlook Today is not supported in Outlook 97. If Desktop Authority
detects Outlook 97, and the Outlook Today folder is selected,
Desktop Authority will set the startup folder to the Inbox.
Empty Deleted Items folder on exit
Select a day of the week, Everyday or Never from the list. This
selection controls when the entries in the Deleted Items folder will
be permanently deleted. Select User-defined from the list to use the
setting as specified in the client’s Outlook options.
New mail arrival
Display a notification
Select this check box,
, to enable a visual notification when new
mail arrives to the inbox. Clear the box,
, to disable any visual
notification of new email. Gray the check box, , to preserve the
user’s current Outlook setting.
Play a sound
, to play a sound when new mail is
Select this check box,
received. Clear the box,
, to provide no audio notification of new
email. Gray the check box,
, to preserve the user’s current
Outlook setting.
366
Reference
AutoArchive
AutoArchive every xx days
Select this check box,
, to configure Outlook items for archival.
Clear this check box,
, to disable the AutoArchiving of Outlook
items. Gray the box,
, to preserve the user’s current Outlook
setting.
If AutoArchiving is activated, items will be archived every x number
of days. The number of days must be between 1 and 60. If a value
of 0 is entered, the client’s current profile setting will be used.
Prompt to AutoArchive
, to prompt the user that AutoArchiving is
Select this check box,
about to occur. This will give the user the ability to cancel the
, to never prompt the user
archival process. Clear this check box,
about the archival process. Gray the check box,
, to preserve the
user’s current Outlook setting.
Folder
Enter the folder where the archive files should be stored. Manually
type the path or UNC into this field. Alternatively, click
navigate to the folder.
to
If the specified folder does not exist, Desktop Authority will create it.
If no folder is specified, Desktop Authority will use the client’s
current profile setting. This will allow each client to specify a location
of their choice.
File name
Enter the name of the file to store archived items to. This file will be
stored in the Folder specified in the Folder entry.
The default for this field, is $UserID.PST, which uses a dynamic
variable to build the file name. To insert a dynamic variable, press
the F2 key to select it from the list. The dynamic variable will be
inserted into the field at the cursor’s current position.
If the specified file does not exist, Desktop Authority will create it. If
no file is specified, Desktop Authority will preserver the user’s
current setting.
367
Administrator's Guide
Delete expired items (email folder only)
Outlook items can be deleted instead of archived using the Delete
expired items options. This option will delete old items instead of
, to delete
moving them to an archive file. Select this check box,
items instead of archiving them. Clear this check box,
, to archive
items instead of deleting them. Gray this check box,
, to preserve
the user’s current Outlook setting.
When sending a message
Allow comma as address separator
Select this check box,
, to allow the use of commas (,) as well as
the standard semicolons (;) to separate names in the To, Cc and Bcc
, to only allow the standard
address lines. Clear this check box,
semicolon (;) separator. Gray this check box,
, to preserve the
user’s current Outlook setting.
Automatic name checking
, to allow Outlook to check the names
Select this check box,
entered into the To, Cc and Bcc address lines. Names are checked
against the address book. If the name is found, it is underlined.
, to disable automatic name checking. Gray
Clear this check box,
this box,
, to preserve the user’s current Outlook setting.
Message format & handling
Message format
Select a message format from the list. Choose from User-Defined,
HTML, Rich Text or Plain Text. When creating new messages this
format will be used.
Choose User-defined to allow the user to control the message
format.
Use Microsoft Word as editor
, to tell Outlook to use Word when creating
Select this check box,
or editing messages. Clear this check box,
, to use Outlook's
default editor. Gray this check box,
, to preserve the user’s
current Outlook setting.
Send pictures from the Internet
, to send any pictures that are part of the
Select this check box,
message. Clear this check box,
, to disable the sending of
attached pictures. Gray this check box,
, to preserve the user’s
current Outlook setting.
368
Reference
Save copies of mail in Sent Items folder
Select this check box,
, to save a copy of each outgoing message
in Outlook's Sent Items folder. Clear this check box,
, to disable
the saving of a copy of each outgoing message. Gray this check box,
, to preserve the user’s current Outlook setting.
Auto-save unsent messages every xx minutes
Select this check box,
, to allow Outlook to automatically save a
copy of unsent messages to the Drafts folder. Messages will be
saved every xx minutes. Specify the number of minutes in the entry
, to prevent saving a copy of unsent
box. Clear this check box,
messages. Gray this check box,
, to preserve the user’s current
Outlook setting.
Spelling
Always check spelling
Select this check box,
, to configure Outlook’s spell check to
always spell check a message before sending it. Clear this check
, to disable spell check on outgoing messages. Gray this
box,
check box,
, to preserve the user’s current Outlook setting.
Always suggest replacements
Select this check box,
, to configure Outlook’s spell check to
always suggest word replacements for misspelled words. Clear this
, to disable misspelled word replacement. Gray this
check box,
check box,
, to preserve the user’s current Outlook setting.
Ignore words in UPPERCASE
Select this check box,
, to configure Outlook’s spell check to
ignore all uppercase words during spell check of a message. Clear
, to include uppercase words during the spell
this check box,
check of a message. Gray this check box,
, to preserve the user’s
current Outlook setting.
Ignore words with numbers
, to configure Outlook’s spell check to
Select this check box,
ignore any words that contain numbers during spell check of a
, to include words with numbers
message. Clear this check box,
during the spell check of a message. Gray this check box,
, to
preserve the user’s current Outlook setting.
369
Administrator's Guide
Ignore original message in replies
Select this check box,
, to configure Outlook’s spell check to
ignore the text of the original message during spell check of a
, to include the text of the original
message. Clear this check box,
message during the spell check of a message. Gray this check box,
, to preserve the user’s current Outlook setting.
Data Files
Select the Data Files tab for Outlook settings pertaining to PAB &
Personal Folder Settings and Offline Access Settings.
Cached Mode/RPC
Select the Cached Mode/RPC tab to configure Outlook's Cached
Exchange Mode.
Signature
Select the Signature tab to format a block of text and/or graphics to
appear at the end of outgoing messages. Normally, signatures are
used to identify the sender of the message, along with their contact
information.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
370
Reference
MICROSOFT OUTLOOK DATA FILES
The Microsoft Outlook Data Files tab is used to enable/disable and set
file locations for the Personal Address Book, Personal Folders, Offline
Address Book and Offline Folders locations.
PAB & Personal Folder Settings
PAB Configuration
Select a configuration option from the list to add the Personal
Address Book service to the profile. Select from Leave alone, Create
if one does not exist, Create if one does not exist or modify existing,
Only modify existing or Remove any existing from the list.
PAB File Name
Enter the file name to be used for the Personal Address Book. This
file will be stored in the file and location specified by the PAB File
Name and PAB Folder entries.
The default for this field, is $UserID.PAB, which uses a dynamic
variable to build the file name. To insert a dynamic variable, press
the F2 key and select it from this list. The dynamic variable will be
inserted into the field at the cursor’s current position.
371
Administrator's Guide
PAB Folder
Enter the folder to be used to store the Personal Address Book and
Folder Settings. This can be entered in the form of a mapped drive,
path or UNC.
Manually type the path or UNC into this field. Alternatively, click
to navigate to the folder if it is located on a network share. If the
specified folder does not exist on the target drive, Desktop Authority
will create it.
PST Configuration
Select a configuration option from the list to add the Personal
Folders service to the profile. Select from Leave alone, Create if one
does not exist, Create if one does not exist or modify existing, Only
modify existing or Remove any existing from the list.
PST File Name
Enter the file name to be used for Personal Folders. This file will be
stored in the location specified by the Folder entry.
The default for this field, is $UserID.PST, which uses a dynamic
variable to build the file name. To insert a dynamic variable, press
the F2 key and select it from the list. The dynamic variable will be
inserted into the field at the cursor’s current position.
PST Folder
Enter the folder to be used to store the Personal Folder settings.
This can be entered in the form of a mapped drive, path or UNC.
Manually type the path or UNC into this field. Alternatively, click
to navigate to the folder if it is located on a network share. If the
specified folder does not exist on the target drive, Desktop Authority
will create it.
New style PST file (if supported by Outlook)
, to use Outlook 2003 style PST files when
Select this check box,
creating or modifying PST configuration files. Clear the check box,
, to use the earlier version of Outlook PST files. Gray the check
box,
, to use the user’s current Outlook default. This box is only
available when creating or modifying the PST configuration.
New e-mail to PST file
, to send new mail to the defined PST
Select this check box,
folder/file. Clear the check box,
, to use the user's current
Outlook inbox. Gray the check box,
, to preserve the user's
current Outlook setting. This box is only available when creating or
modifying the PST configuration.
372
Reference
Offline Access Settings
OST Configuration
Offline Folders (.ost) are used to keep a local copy of the client's
Exchange mailbox local to the computer. The items in the .ost file
are synchronized with the server when the connection is available.
Using this option allows for the client to work productively from local
files when the server is unavailable.
Select a configuration option from the list to enable Offline Files.
Select from Leave alone, Create if one does not exist, Create if one
does not exist or modify existing, Only modify existing or Remove
any existing from the list. This also activates the use of automatic
offline synchronization. The offline content is stored in the file and
location specified by OST File Name and OST Folder.
OST File Name
Enter the file name to be used for Offline folders. This file will be
stored in the location specified by the OST Folder entry.
The default for this field, is $UserID.OST, which uses a dynamic
variable to build the file name. To insert a dynamic variable, press
the F2 key to select it from the list. The dynamic variable will be
inserted into the field at the cursor’s current position.
OST Folder
Enter the physical path on the client machines where the Offline
Folder (OST) files should be stored. Manually type the path or UNC
to navigate to the folder. If the
into this field. Alternatively, click
specified folder does not exist, Desktop Authority will create it.
OAB Configuration
Along with enabling Offline Folders, the Personal Address Book can
also be made available offline (OAB). Select a configuration option
from the list to enable the use of the Offline Address Book service
for the Mail Profile. Select from Leave alone, Create if one does not
exist, Create if one does not exist or modify existing, Only modify
existing or Remove any existing from the list.
The Offline Address Book does not include a file name. The OAB is
comprised of a number of files which are automatically created and
named by Outlook when first used.
OAB Folder
Enter the physical path on the client machines where the Offline
Address Book (OAB) should be stored. Manually type the path or
to navigate to the folder.
UNC into this field. Alternatively, click
If the specified folder does not exist, Desktop Authority will create it.
373
Administrator's Guide
MICROSOFT OUTLOOK CACHED MODE/OUTLOOK ANYWHERE
The Microsoft Cached Mode/Outlook Anywhere tab is used to
configure Outlook's Cached Exchange Mode and Outlook Anywhere
settings. Outlook's Cached Exchange Mode allows Outlook to cache its
mailbox data to the local drive. This allows access to Outlook data
when the Exchange server is unavailable. When the Exchange server is
available, Outlook will periodically connect and retrieve its data.
Microsoft Outlook can communicate with Exchange servers over the
Internet via a browser based interface. Outlook Anywhere is used to
allow remote users to access the Exchange server for email access
through the company firewall without the necessity of using a VPN.
374
Reference
Use Cached Exchange Mode
Select this check box,
, to configure Outlook to use it's Cached
Exchange Mode. Clear the check box,
, to remove the use of Cached
Exchange Mode. Gray the check box,
, to preserve the user’s
current Outlook setting.
Exchange over the Internet (Outlook Anywhere)
Connect to Exchange mailbox using HTTP
Select this check box,
, to configure Outlook to connect to the
Exchange server using RPC over HTTP protocol. Clear the check box,
, to remove the use of RPC over HTTP communication protocol.
Gray the check box,
, to preserve the user’s current Outlook
setting.
Connection Settings
Use this URL to connect to my proxy server for Exchange
Enter the Exchange server's fully qualified domain name.
Connect using SSL only
, to enforce that a Secure Sockets
Select this check box,
Layer protocol is used when data is transmitted over HTTP.
, to remove the SSL protocol
Clear the check box,
restriction.
Mutually authenticate the session when connecting with SSL
, to enable mutual authentication.
Select this check box,
Clear the check box,
, to disable the mutual authentication
requirement.
Principal name for proxy server
Enter the proxy server's principal name. This is the server
name used to mutually authenticate the session.
On fast networks, connect using HTTP first, then connect
using TCP/IP
, on fast internet connections, such
Select this check box,
as DSL or Broadband, to connect to the Exchange server via
HTTP first. If the connection is unsuccessful, TCP/IP will be
used to connect to the Exchange server.
375
Administrator's Guide
On slow networks, connect using HTTP first, then connect
using TCP/IP
, on slow internet connections, such
Select this check box,
as dial-up, to connect to the Exchange server via HTTP first.
If the connection is unsuccessful, TCP/IP will be used to
connect to the Exchange server.
Proxy authentication settings
Use this authentication when connecting to my proxy server
for Exchange
Select Basic Authentication or NTLM Authentication from the
list. Basic Authentication will require the user to enter a
password each time a connection is made to the Exchange
server.
376
Reference
MICROSOFT OUTLOOK SIGNATURE
The Microsoft Outlook Signature tab is used to format a block of
text and/or graphics to appear at the end of outgoing messages.
Normally, signatures are used to identify the sender of the message,
along with their contact information.
Signature Name
Enter a name for the signature. This will be the name of the
signature used in Outlook.
Signature Code
Enter plain text or HTML code to be included in Outlook messages as
the signature.
Preview Signature
Click the Preview Signature button to preview the Outlook
signature. The preview is shown exactly as it will appear in the
message.
377
Administrator's Guide
Edit Signature
Click the Edit Signature button to open the system's default HTML
editor. Once opened, create the signature code and exit the editor.
The newly created signature will be displayed in the Signature Code
box.
If the signature is created in another editor, it may not be
able to read into the signature code box. If this is the case, a
message will be posted and a manual copy and paste will be
necessary.
Select Signature for Outlook 2000
Select signature for new messages
Select this check box,
, to configure Outlook 2000 to use this
signature at the bottom of every new message. Clear the check
, to remove the use of this signature at the bottom of every
box,
new message. Gray the check box,
, to preserve the user’s
current Outlook 2000 setting regarding the use of signatures at the
end of every new message.
Select signature for replies and forwards
, to configure Outlook 2000 to use this
Select this check box,
signature at the bottom of every message that is a reply or forward
, to remove the use
of a previous message. Clear the check box,
of this signature at the bottom of every message that is a reply or
, to
forward of a previous message. Gray the check box,
preserve the user’s current Outlook 2000 setting regarding the use
of signatures at the end of every message that is a reply or
forward of a previous message.
Select Signature for Outlook 2002 and above
Mail Profile creation and signature configuration cannot be
configured during the same logon event. The Mail Profile
must be instantiated before the signature can be configured
within the profile. The signature configuration will require an
extra logon event.
Select signature for new messages
Select this check box,
, to configure Outlook 2002 and above to
use this signature at the bottom of every new message. Clear the
, to remove the use of this signature at the bottom of
check box,
every new message. Gray the check box,
, to preserve the user’s
current Outlook 2002 and above setting regarding the use of
signatures at the end of every new message.
378
Reference
Select signature for replies and forwards
Select this check box,
, to configure Outlook 2002 and above to
use this signature at the bottom of every message that is a reply
, to
or forward of a previous message. Clear the check box,
remove the use of this signature at the bottom of every message
that is a reply or forward of a previous message. Gray the check
, to preserve the user’s current Outlook 2002 and above
box,
setting regarding the use of signatures at the end of every
message that is a reply or forward of a previous message.
379
Administrator's Guide
PATCH DEPLOYMENT*
Desktop Authority’s Patch Distribution and Deployment feature
ensures that your Microsoft desktop Operating Systems and
applications are kept up-to-date with the latest patches from Microsoft.
The Patch Deployment object provides the ability to deploy patches on
clients during the logon, logoff or shut down events, based on the
specified Validation Logic. Before a patch is installed, several checks
are completed to ensure that the Operating System, product, version,
language, and etc. match the intended recipient's configuration.
Patches may also be uninstalled from a client machine if the patch
contains uninstall capabilities.
Desktop Authority will not attempt to install patches if the client does
not have enough available disk space. The engine determines the
amount of available disk space before the patch is installed. By
default, 200mb of disk space must be available to install any patch.
This default can be overridden by defining a value in the global or
profile definition file.
The variable #HotFixFreeSpaceNeededInMB is used to override the
available disk space amount. Select Global Options > Definitions or
select the Definitions tab on the profile's settings.
Example:
#HotFixFreeSpaceNeededInMB="100"
Patch Deployment, in evaluation mode, allows patches to be
downloaded from Microsoft. However, only Low severity
patches can be installed via desktop Authority in this
evaluation mode.
Once the Patch Deployment Subscription service is purchased, all
patch file(s) available from Microsoft can be downloaded and
installed/uninstalled centrally with Desktop Authority. The Update
Service must be installed and configured in order for Desktop Authority
to retrieve the latest patch listings and files. If it is not configured at
the time the Patch Deployment object is selected in the Navigation
Pane, a message will be displayed with an opportunity to install and
configure the service.
380
Reference
Once configured, the download servers will query scriptlogic.com to
determine the product mode and download updated patch file listings,
when available, and requested patch files. For more information on the
Update Service, see What is the Update Service?
Timely installation of patches is essential to the security of the
enterprise network. Following the recommended configurations will
help to administer, distribute and install Microsoft operating system
and product patches in a timely manner, without compromise to the
security of the network.
Note: If the server does not have Internet access, the Desktop
Authority Updates and Patch Download Service (DAUPDS) can
be used to provide the Enterprise the ability to download
patches and updates for Desktop Authority Servers that may
not or can not have Internet access. This tool will download the
updates and patches which can be imported into Desktop
Authority for consumption by the Update Service. For more
information on this tool, go to the Desktop Authority support
page on the ScriptLogic website.
Settings
381
Administrator's Guide
Deploy by Q-Number/Deploy by Criteria/Deploy by Individual
Patch
Deploy by Individual Patch allows one or more individual patches
to be selected for deployment. Patches that are available for more
than one installation platform are selected only once based on the
actual patch number or bulletin id. The patch will be installed for all
target installation platforms that the patch supports. Use the Filter
criteria to locate and select the necessary patch files. When a client
logs on and validates for the patch, the selected patch files will be
installed.
Deploy by Criteria allows all patches with specific severities and
products to be installed. Simply select the severities and products in
the Filter criteria box. When a client logs on and validates for the
patch deployment element, all patch files for the selected severities
and products will be installed.
Deploy by Q-Number allows one or more individual patches to be
selected for deployment. Patches that are available for more than
one installation platform are selected based on the actual
installation platform. A single patch number or bulletin id may be
selected more than once in order to patch the selected target
platforms. Use the Filter criteria to locate and select the necessary
patch files. When a client logs on and validates for the patch, the
specified patch files will be installed.
Show me patches for
Select from Install/Rollback (Uninstall) from the drop list. Selecting
Install will show all patches that can be chosen for installation on
target machines. Selecting Rollback will show all patches that
contain an Uninstall procedure. Any patch selected with this option
will be removed from target machines it if exists.
Filter
Use the Filter tool to minimize the available patch list based on
severity and/or product. Select the Severity Filters box to
automatically select each severity listed below it or select individual
severities below the Severity Filters box. Clear the Severity Filters
check box to clear all selected severities.
Select the Product Filters box to automatically select all products
listed below it or select individual products below the Product Filters
box. Clear the Product Filters box to clear all selected products.
Search
Click Search to filter the patch list based on the Severity and
Product filters chosen in the Filter list. A count of selected patches
will be displayed following the search.
382
Reference
Patch List
The Patch list is available when the Deploy by Individual Patch or
Deploy by Q-Number option is selected. This list displays all
patches matching the filter criteria. Information regarding each
patch includes the Patch number and Affected Products. The patch
list is sortable by any one of the columns available in the list. Sort
the list by clicking on a column header.
Select a patch to deploy by selecting the Deploy box. To deploy
multiple consecutive patches from the list, click on the first one.
While holding down the SHIFT key, select the last consecutive patch,
and then select the Deploy box. Multiple non-consecutive patches
may be selected from the list by pressing the CTRL key while
selecting each individual patch and then selecting the Deploy box.
Distribution servers
Select Automatic selection to copy the patch file(s) to the client from
the selected server. Select Use specific servers to define a specific
server(s) to copy the patch file(s) from. Separate multiple server
names using a semicolon (;).
If requested patches are not available on the client machine,
suspend the logon/logoff process until they are downloaded.
Select this box to download the necessary patch file if it does not
exist on the client. The download request is sent to a server that is a
designated download server. Once requested, the patch file will be
downloaded (if necessary) and duplicated on the distribution server.
Any client that requests the same patch file from the distribution
server following, the duplication of the patch file, will receive the
patch file for installation.
Clear this box to continue processing if the patch file does not exist
at the specified location. The client will check for the patch during
future logons until it can be installed successfully.
Pre-Download
Automatically pre-download patch files to distribution servers.
(Available for Deploy by criteria only)
Select this box to allow the Update Service to automatically
download new patches when there are any that match the specified
Products and Severities.
Languages
to select one or more languages for the automatic preClick
download patch files to download. Select from German, English,
French and/or Spanish.
383
Administrator's Guide
Client Options
The Client Options allow settings to be configured to allow the end
user to defer the installation of a patch. A patch can be deferred for a
specified number of times.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
*This feature is a purchasable option for Desktop Authority. This
option is not available with Desktop Authority Express. Desktop
Authority users must upgrade to Desktop Authority in order to
purchase this option.
384
Reference
UPDATE SERVICE BEST PRACTICES
Timely installation of updates and patches are essential to the security
of the enterprise network. Following the recommended configurations
below will help to administer, distribute and install Microsoft operating
system and product patches and updates in a timely manner, without
compromise to the security of the network.
Single Site LAN
The installation of the Update Service is required in order to use
Software Management, USB/Port Security, Patch Management and/or
Anti-Spyware objects. The Update Service is installed within the Server
Manager.
The MSI Packages object publishes packages to each server that has
the Update Service installed.
To best configure the Update Service for a single site network, there
should be one server that is designated as the download server. A
server is configured to be a download server in the Update Service
configuration dialog.
385
Administrator's Guide
386
Reference
387
Administrator's Guide
The download server pulls patch files from Microsoft. The downloaded
patch files are stored in the directory specified in the Update Service
configuration dialog. This directory by default is %Program
Files%/ScriptLogic/Update Service/Cache. The download server also
connects with ScriptLogic to pull down licenses information, antispyware definition updates, patch database updates and ScriptLogic
Patch Management updates. The connection to the ScriptLogic web site
is a secure connection.
In the illustration above, a client logs on to the network and is
connected to Server11 via a random selection by the Desktop Authority
engine. In this scenario, Server1 is configured as the download server.
If the patch exists on the server, it is distributed to the client as
requested, based on the validation logic specified for the patch file(s)2.
If the patch file has not yet been downloaded by the server, a request
is sent via the Update Service to Microsoft and the patch file(s) is
downloaded3. In this case, one of two scenarios will occur on the client.
Depending on the configuration of the "If patch is not available, do not
continue" prompt on the Patch Deployment element, either Desktop
Authority will continue to process on the client without installing the
patch, or it will pause and wait for the patch to download and install
before going any further. If the prompt is selected (checked on), the
client will wait for the patch to download and install. If the prompt is
cleared (checked off), the client will attempt the patch installation the
on the next logon attempt.
388
Reference
In this scenario, Server2 and Server3 are designated as distribution
servers. This means that these servers will never directly request a
patch file from Microsoft. Instead, these servers will send a request to
the networks download server for the patch file. At this time, the patch
file will be delivered to the distribution server that requested it.
When a client logs onto the network and is connected to a distribution
server1, a request is sent from the distribution server to the download
server for the patch file (if it does not already exist on the distribution
server)2. If the patch file does not already exist on the download
server, it is downloaded by the Update Service3. The patch file is then
distributed to the distribution server4 and then deployed to the client5.
Again, one of two scenarios will occur on the client when connected to
a distribution server. Depending on the configuration of the "If patch is
not available, do not continue" prompt on the Patch Deployment
element, either Desktop Authority will continue to process on the client
without installing the patch, or it will pause and wait for the patch to
download and install before going any further. If the prompt is
selected (checked on), the client will wait for the patch to download
and install. If the prompt is cleared (checked off), the client will
attempt the patch installation the on the next logon attempt.
389
Administrator's Guide
Multiple Site LAN
On a network configured with multiple sites, the Patch Deployment
process is similar as discussed above. However, there are some
differences which are explained below.
In the above illustration, the network consists of two sites. Each site
should have its own single download server. All other servers on the
site should be set up as distribution servers. The Operations Master
publishes all packages for the MSI Packages object to all servers (on
all sites) that have a running Update Service.
Upon logon, a client is connected to a server within the site the client
exists in. Upon a patch deployment request, a server within its own
site is randomly chosen by the Desktop Authority engine. If the
download server is chosen, the necessary patches are deployed to the
client as requested.
If the patch file has not yet been downloaded by the server, a request
is sent via the Update Service to Microsoft and the patch file(s) is
downloaded. In this case, one of two scenarios will occur on the client.
Depending on the configuration of the "If patch is not available, do not
continue" prompt on the Patch Deployment element, either Desktop
Authority will continue to process on the client without installing the
patch, or it will pause and wait for the patch to download and install
before going any further. If the prompt is selected (checked on), the
client will wait for the patch to download and install. If the prompt is
cleared (checked off), the client will attempt the patch installation the
on the next logon attempt.
390
Reference
If a distribution server is selected via the Desktop Authority engine
and the patch is available it is automatically deployed to the client.
If the patch file is not yet available on the distribution server, a
request will be sent to the download server. The patch will be
downloaded from Microsoft (if necessary) moved to the distribution
server and then deployed to the client. Again, at this time, one of two
scenarios will occur on the client when authenticated by the
distribution server. Depending on the configuration of the "If patch is
not available, do not continue" prompt on the Patch Deployment
element, either Desktop Authority will continue to process on the client
without installing the patch, or it will pause and wait for the patch to
download and install before going any further. If the prompt is
selected (checked on), the client will wait for the patch to download
and install. If the prompt is cleared (checked off), the client will
attempt the patch installation the on the next logon attempt.
It is important to note that depending upon the speed of the link
between the sites in this type of configuration versus the speed of the
Internet connection, it may be faster to manually copy the download
cache between sites versus allowing the patch files to propagate
through the system as they are needed.
Patch Deployment in a Windows NT domain
Note: If site information is not configured on an AD domain,
these following guidelines should also be used to correctly
configure Patch Deployment.
In an Active Directory domain, site information is used by the client to
determine which server to connect to. A server is always chosen from
within the site that the client belongs to. Since site information does
not exist in an NT domain, it is not possible to determine which server
to connect to.
To best configure Patch Management for a Windows NT domain, there
should always be one server that is designated as the download
server. A server is configured to be a download server in the Update
Service configuration dialog.
391
Administrator's Guide
Each distribution server in the domain should be configured to look for
patches on the download server.
392
Reference
In this special case, specific validation logic must be defined for each
element created within the Patch Deployment object. Elements will be
duplicated for each LAN. The Validation Logic for each element will
only validate for one specific LAN. To do this use the TCP/IP validation
type as follows:
393
Administrator's Guide
The settings tab should be configured to have the client look to the
download server for the necessary files.
394
Reference
Miscellaneous Notes
•
Although the Service Pack Deployment and Patch
Deployment objects seem very similar, use the Service Pack
Deployment object to install full service packs offered by
Microsoft. A patch is an interim update which fixes one or
more specific problems. A service pack is a cumulative
update to fix multiple bugs and may include product
enhancements. A service pack includes many patches
bundled into a single service pack update.
•
Prior to deploying a patch to the enterprise, use Desktop
Authority's Validation Logic to target specific users or
groups of users and/or specific computers or groups of
computers for testing of patch installations.
•
Since some patch installations may take considerable time
to complete, It is recommended to target significant patches
to occur at logoff time rather than logon.
•
Patches for Office applications may require access to the
original media (CD or DVD). To support Office patches
without prompting the user to insert any form of media, the
original product media should be made available on a
CD/DVD drive that is accessible to all over the network.
•
The Update Service requires Internet access to
www.scriptlogic.com and www.microsoft.com. If a proxy is
used to access the internet, the download server must be
configured to work with the proxy.
395
Administrator's Guide
PATH
The Path object configures client search paths to include local paths,
network paths or UNCs. Entries made here will be appended to (placed
at the end of) the client’s existing path as set in the autoexec.bat on
Windows 9x or in the User’s Environment on Windows
NT/2000/XP/2003/Vista/2008.
Settings
Path
Specify a new search path to be appended to the client’s existing
search path. The path may be in the form of a path, mapped drive
to select an existing path. Optionally, press the F2
or UNC. Click
key to use a dynamic variable.
Examples:
C:\Batch
S:\Utilities
\\Server1\Tools
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
396
Reference
FILE/REGISTRY PERMISSIONS
The File/Registry Permissions object provides the ability to modify
NTFS File and Folder permissions or Registry permissions. Permissions
are configurable for NT, 2000, XP and Vista systems as well as
Terminal Server Client sessions on 2003 and 2008.
397
Administrator's Guide
Settings
Type
Select File/Folder or Registry from the Type list. The selected
Type is the object that Permissions will be applied to.
Action
Select Append, Overwrite or Revoke from the Action list. This action
defines how to apply the Permissions to the selected object.
•
Append - Add permissions to list of existing permissions for
the object.
•
Overwrite - Replace existing permissions with permissions
specified in this element for the object.
•
Revoke - Remove permissions for the object from the
specified user/group.
Path / Hive/Key
For the File/Folder Type, enter the Path to the object that
Permissions will be applied to. For the Registry Type, enter the Hive
and Key that the Permissions will be applied to.
Inheritance
Select Do not modify this object's inheritance, Allow this object to
inherit from parent, Do not allow this object to inherit from parent
and discard inherited permissions, Do not allow this object to inherit
from parent and copy inherited permissions from the Inheritance
list. The Inheritance selection defines how or if permissions for the
object will be inherited.
398
•
Do not modify this object's inheritance - This object will not
assume (inherit) permissions from any other object.
•
Allow this object to inherit from parent - This object is
allowed to assume permissions from its parent object.
•
Do not allow this object to inherit from parent and discard
inherited permissions - This object will not be allowed to
assume permissions from its parent object. If the object
already has inherited any parent permissions they will be
removed.
•
Do not allow this object to inherit from parent and copy
inherited permissions - This object is not allowed to assume
(inherit) permissions from its parent object, nor is it allowed
to copy permissions from its parent.
Reference
Permissions
The Permissions list designates which users and/or groups will be
given permissions to the selected object (File/Folder or Registry)
Press Add to define users and/or groups to which permissions will
be given to the selected object. Press Modify to edit an entry in the
Permissions list. Press Delete to remove an entry from the
Permissions list.
Principal
Specify a user or group that will be assigned the designated
permissions.
Permissions
The permissions boxes represent the standard permissions that can
be allowed or denied for the specified Principal. Select Allow to
permit access to the object. Select Deny to refuse access to the
object. Selecting either Allow or Deny Full Control will automatically
select the Read, Write, Execute and Modify permissions.
399
Administrator's Guide
Propagation
Select Apply to this object only, Apply to this object and child objects
one level deep, Apply to this object and allow all child objects to
inherit, or Apply to this object and apply to all child objects from the
Propagation list. The propagation selection defines which components
(Parent and/or Child) of the object are affected by the Permission
change.
•
Apply to this object only - Permissions are applied to the selected
Path or registry Hive/Key only. No child objects are affected.
•
Apply to this object and child objects one level deep - Permissions
are applied to the selected Path or registry Hive/Key object and to
any container immediately within this object.
•
Apply to this object and allow all child objects to inherit Permissions are applied to the selected Path or registry Hive/Key
object. All child objects have the ability to inherit these permissions
however the child objects are not given these permissions
automatically.
•
Apply to this object and apply to all child objects - Permissions are
applied to the selected Path or registry Hive/Key object and to any
all containers below this object.
Child object to include
Select Files, Folders, or Files and Folders from the list. The selected
child object(s) will be included in the propagation of the applied
permissions.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
400
Reference
POWER SCHEMES
Power Scheme settings can be configured to run on Windows 98, Me,
2000 and XP*. Power Schemes cannot be configured to run on
Terminal Servers, Member Servers or Domain Controllers, and 95, NT
4.0 and 2003 operating systems.
To configure Power settings on Vista machines and above, select the
Power Plan Settings tab.
Power Scheme Settings
Action
Select Create/Modify or Remove from the Action list. The
Create/Modify action will create a new Power scheme if one does not
already exist with the specified Power Scheme name or modify the
existing Power scheme if one already exists with the specified name.
Remove will delete an existing Power scheme if one exists with the
specified Power scheme name.
401
Administrator's Guide
Power scheme name
Select from existing Power Schemes Always On, Home/Office Desk,
Max Battery, Minimum Power Management, Portable/Laptop, or
Presentation pre-defined power schemes. The pre-defined schemes
exist on 98, Me, 2000 and XP operating systems and can be used for
commonly used settings. Enter a new Power scheme name to define
a new configuration set. Enter an existing power scheme name to
update an existing scheme.
Hibernation/Standby Options
Enable Hibernation
This box can be set to one of three (3) different states: on (enabled)
, off (disabled)
, or grayed (preserve current setting)
.
Select the box to enable hibernation on the computer. Hibernation
mode will store the contents from memory on the hard drive and
then shut down. When the computer comes out of hibernation, it will
return to its previous state. Clear the box to disable Hibernation
mode and enable Standby mode. Standby mode will switch the
computer into a low-power state. Gray the box to leave the current
setting untouched.
The default for this option is grayed.
Prompt for password when computer resumes from standby
This box can be set to one of three (3) different states: on (enabled)
, off (disabled)
, or grayed (preserve current setting)
.
Select the box to prompt for a password when the system resumes.
Clear the box to disable password prompting. Gray the box to leave
the current setting untouched.
The default for this option is grayed.
Power button options
When I close the lid of my portable computer
Select a power option from the list. Select from Leave Alone, Do
Nothing, Sleep, Hibernate, Shutdown, Shutdown and reset,
Shutdown and power of or Warm eject.
When I press the power button on my computer
Select a power option from the list. Select from Leave Alone, Do
Nothing, Sleep, Hibernate, Shutdown, Shutdown and reset,
Shutdown and power of or Warm eject.
402
Reference
When I press the sleep button on my computer
Select a power option from the list. Select from Leave Alone, Do
Nothing, Sleep, Hibernate, Shutdown, Shutdown and reset,
Shutdown and power of or Warm eject.
Power scheme options
Power scheme options specify how to act on a device if it is in an idle
state. The power settings can be defined for a computer that is
plugged in and/or running on batteries.
Turn off monitor
Specify the amount of video idle time to wait before turning off the
monitor. Select Leave alone if monitor power settings are not
wanted.
Turn off disks
Specify the amount of hard disk idle time to wait before spinning
down the disks. Select Leave alone if power settings are not wanted
with hard disk drives.
System standby
Specify the amount of idle time to wait before going into Standby
mode. Select Leave alone if Standby mode is not wanted.
System hibernates
Specify the amount of idle time to wait before going into Hibernation
mode. Select Leave alone if Hibernation mode is not wanted.
Power Plan Settings
Select the Power Plan Settings tab to configure power settings on
Microsoft Windows Vista workstations and above.
403
Administrator's Guide
Action
Select Create/Modify or Remove from the Action list. The
Create/Modify action will create a new Power plan if one does not
already exist with the specified Power plan name or modify the
existing Power plan if one already exists with the specified name.
Remove will delete an existing Power plan if one exists with the
specified Power plan name.
Power scheme name
Select from existing Power plans Desktop Authority Power Plan,
Balanced, Power Saver, and High performance pre-defined power
plans. The pre-defined plans exist on Microsoft Windows Vista and
can be used for common circumstances. Enter a new Power plan
name to define new configurations. Enter an existing power plan
name to update an existing scheme.
Power plan based on
Select one of the existing power plans as the base of your new
custom power plan.
Sleep and display settings
Turn off the display
Enter the amount of idle time that must elapse before
Windows turns off the display. This time can be set
independently for a computer running on battery and
when it is plugged in.
Put the computer to sleep
Enter the amount of idle time that must elapse before
Windows puts the computer into sleep mode. This time
can be set independently for a computer running on
battery and when it is plugged in.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
*Windows 95, 98, Me and NT4 clients are no longer supported.
404
Reference
PRE/POST ENGINE SCRIPTS
Out of the box, Desktop Authority accommodates virtually every
installation's requirements simply by filling in the blanks of the objects
in the Desktop Authority Manager. While feature-rich and easy-to-use,
the Manager may not provide all of the desired functionality out of the
box. That's where custom scripting comes in.
Custom Scripting can be used for automated software deployment,
locating and/or copying files, special-case drive mappings or to
override the Manager settings.
Custom scripting is relatively easy and can be as simple or complex as
necessary -- though it does require programming in KiXtart and often
requires a working knowledge of the Windows registry. Custom scripts
contain KiXtart scripting code and may launch additional executables,
batch files, or scripts of any type using the "shell" or "run" commands.
Creating a Custom Script
A custom script is an ASCII text file written using the KiXtart scripting
language. A script may be created using Notepad or any other text
editor. The script file may be created within or outside of the Manager.
To create a script from within the manager, an element must first be
created within the Pre/Post-Engine Scripts object. First, decide at
which point the script should run, Pre or Post Engine. Create the
element by right-clicking inside the element list on the Pre/Post-Engine
Scripts object. Select New Element from the shortcut menu. Once the
element is created, specify a script filename on the Settings tab. This
filename should end with a .KIX extension. Once the .KIX extension is
recognized by the Manager, the
button will be enabled.
405
Administrator's Guide
button can be used to create or modify KiXtart scripts. When
The
clicked, the script file will be opened within the defined Custom Script
Editor. The default script editor is Microsoft's Notepad. This can be
changed to load a favorite text editor by clicking File > Preferences on
the Manager's File menu.
To create a script outside of the Manager, simply load your favorite
text editor and start typing. Once it is complete (and tested) it may be
added to the Pre and/or Post-Engine object within the Manager.
Configuring Custom Scripts within the Manger
To use a script within the Manger, first select the point at which the
script should run, either Pre or Post Engine. Select the appropriate
object within the profile.
Custom scripts can be processed before and/or after the Desktop
Authority object configurations are processed.
Pre-engine custom scripts are launched after the defined
configuration settings are read into memory but before these
configuration settings are applied. This allows you to "override"
variables defined by Desktop Authority with your own custom settings.
Post-engine custom scripts are launched after the Desktop Authority
Engine processes the Manager defined configuration settings. This
allows you to use drive mappings and other configuration settings after
Desktop Authority has applied them to the client.
406
Reference
Script Execution
As Desktop Authority processes the custom script elements defined by
the Pre and/or Post Engine Script list, Validation Logic is applied to
each script, beginning with the top of the list. Prioritize the list entries
by clicking Move Up ( ) and Move Down ( ) to reorganize the list.
Settings
Script
Enter the name of the custom script file. The script file name must
have an extension of .KIX for the KiXtart engine to process it. Click
to locate and select the script file from a network share. If the
file does not already exist, Desktop Authority will let you write the
script directly from this dialog box. Once a file name with a .KIX
extension is entered into the script field the file may be edited. Click
to edit it. Notepad is opened with the new or existing script
loaded. If a new script is being created, some comments are
automatically added to the file by Desktop Authority.
407
Administrator's Guide
Dynamic variables, environment variables or macros may be
used as part of the custom script filename. These variables
are translated during the client logon process.
Example:
Script: $UserId.kix
For the user Mary Jones, this will translate into
mjones.kix when she logs on.
To insert a dynamic variable, press the F2 key and select the
variable from the popup list. The dynamic variable will be inserted
into the field at the cursor’s current position.
There are not many rules about editing custom scripts,
however, remember that each script must end with a
RETURN statement so that control is returned to the Desktop
Authority Engine when the script is finished processing.
Desktop Authority provides no error control over custom
scripting. A syntax error in your custom script will cause
Desktop Authority to unexpectedly terminate.
A variety of custom scripting examples can be found on the
ScriptLogic web site.
If you would rather develop custom scripts in VBscript, you
can launch them using the Application Launcher tab.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
408
Reference
PRINTERS
The Printers object configures printer mappings. Printer mappings
redirect local printer ports (LPTx) and printer resources to a shared
network printer.
Settings
Printer Type
Select either Network Printer or IP Printer from the Printer Type list.
To connect to an IP printer on an NT 4.0 workstation, the
Microsoft TCP/IP Printing service must be installed.
Shared Printer
Enter the path of the network printer. The path should be specified
to navigate to
in the form of \\server\share\. Optionally, click
the network printer. Press the F2 key to use a dynamic variable.
Specify /DELETE in the Shared Printer prompt to remove all
persistent printer mappings that a user has created on their
workstation that corresponds to the same port number specified for
the shared printer configuration.
When configuring an IP Printer, a shared printer is required
in order to install the necessary drivers on the specified
clients.
Printer IP
Enter the TCP/IP address defined on the printer.
409
Administrator's Guide
Advanced
Click Advanced to enter or view the IP printers settings. These
settings will automatically be detected if an IP address is entered
and the printer is detected at that address.
Protocol
Select the printer’s supported printing protocol.
Port Number/Queue Name
Specify the printer's port number when the RAW protocol is
selected. Specify the printers queue name if the LPR protocol is
selected.
Printer Name
Specify the printer name.
Port Name
Specify the name that will appear in Windows Printer properties
port list.
SNMP Name
Specify the community name used by the printer.
LPT#
Select a port number from the list or type a new LPT port. Valid LPT
port numbers are 1 - 9.
Auto add/remove
Select Add, Delete, - from the list. This allows you to choose from
automatically adding or removing a printer driver on the client. This
applies to clients with Microsoft NT/2000/XP/2003/2008/Vista
operating system only.
Keep in mind that IP Printers are machine specific (local
ports). Therefore, everyone connected to the machine will
have access to the specified IP Printer.
410
Reference
Set as Default
Select this check box to set any NTx Auto-Added printers as the
default printer on the client.
For Desktop Authority to be able to set an auto-added printer as the
client’s default printer, the printer name must match the share
name exactly. For example: On the server, if there is a printer called
"HP4000 Accounting"; it must be shared as "HP4000 Accounting".
Alternatively, the printer can be renamed to "HP4000AC" and shared
as "HP4000AC".
This applies to clients with Microsoft NT/2000/XP/2003/2008
operating system only.
Do not capture LPT1:, or set auto-added printer as default, if
client has a local printer defined on LPT1:
Select this check box for Desktop Authority to ignore any requests
to redirect (capture) or set an auto-added printer as the default
printer if the client already has a printer defined on LPT1. Clear this
check box for Desktop Authority to redirect (capture) or set an autoadded printer as the default, regardless of whether or not the client
has a local printer defined on LPT1.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
411
Administrator's Guide
REGISTRY
The Registry object provides a single point of control over changing
values in the registry of the user’s computer. This object takes
advantage of the ScriptLogic Service, which allows Desktop Authority
to modify any Windows NT/2000/XP/2003/2008/Vista registry
key/value, even if the user logging on does not have the necessary
permissions to modify that particular key/value under their own
security context.
The Registry object is extremely versatile and, if used
improperly, can cause computers not to function properly. The
Registry object is designed for use by experienced
administrators only. Always use caution when manipulating the
registry on any computer, and extreme caution when using a
product such as Desktop Authority to make a network-wide
change to a group of computers at once. It is highly
recommended to first test any registry modification on a
specific user or computer (using Validation Logic) prior to
rolling the change out to an entire group, subnet or domain.
412
Reference
Settings
Action
Select an action from the list to define how the registry setting is to
be updated. Registry keys can be created and removed. Available
actions are:
•
Write Value
Store the specified data to the specific Hive\Key\Value. If
the key does not already exist, it will be created.
•
Delete Value
Remove the specified value from the specific hive\key.
•
Delete Key
Remove the specified key from the hive. For safety reasons,
DeleteKey will only delete a single key. DeleteKey will not
delete a key if there are subkeys beneath it.
•
Add Key
Create a key in the specified hive.
Hive
Select the hive on which to perform the action from the list. The
following hives can be selected:
•
HKEY_CLASSES_ROOT
Contains all file associations, OLE information and shortcut
data.
•
HKEY_CURRENT_USER
Contains preferences for the user currently logged in.
•
HKEY_LOCAL_MACHINE
Contains computer specific information about the type of
hardware, software, and other preferences on a given PC.
•
HKEY_USERS/.DEFAULT
Contains default profile preferences.
•
HKEY_CURRENT_CONFIG
Represents the currently used computer hardware profile.
Key
Enter the specific key to be added or updated in the registry. Keys
are subcomponents of the registry hives. Dynamic variables are
available for use in defining the key.
413
Administrator's Guide
Type
Select the value type to be stored in the registry key.
Valid types are:
•
REG_BINARY
•
REG_DWORD
•
REG_DWORD_BIG_ENDIAN
•
REG_DWORD_LITTLE_ENDIAN
•
REG_EXPAND_SZ
•
REG_FULL_RESOURCE_DESCRIPTOR
•
REG_LINK
•
REG_MULTI_SZ
•
REG_NONE
•
REG_QWORD
•
REG_RESOURCE_LIST
•
REG_SZ
The Type list is not applicable when the Action field is set to either
Add Key or Delete Key.
Value
Enter the name of the value for the registry key that will be written.
Value is not applicable when the Action field is set to either Add Key
or Delete Key.
Data / Expression
Type the data you would like stored in the specified value. This field
may contain static text, Desktop Authority Dynamic Variables,
KiXtart macros or any combination of the three. Press the F2 key to
select a dynamic variable from the list.
If you want to create a new value with no data, or to erase an
existing registry value’s data, enter the word clear surrounded by
parentheses.
Example:
(clear)
414
Reference
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
415
Administrator's Guide
REMOTE MANAGEMENT*
The Remote Management object provides the ability to install,
configure or remove the Remote Management component to/from host
computers.
Settings
Action
Select an action from the list. Select Install to configure client
workstations with the Desktop Authority host software. Select
Remove from the list to remove the Desktop Authority host software
from client workstations.
Port
Specify a listening port that Desktop Authority will use to
communicate with client workstations. By default the Desktop
Authority host software is configured to use port 2000.
416
Reference
Display Tray Icon
Select this check box to display a system tray icon on the client
workstation. This icon indicates that the Remote Management host
software is installed on the client. Clicking on this icon provides a
wealth of extra information, including a log of recent events and
detailed performance data graphs.
Use Alternate DesktopAuthority.exe location
By default the Remote Management component is deployed to each
validating client from the SLDACLIENT$ share. SLDACLIENT$ is a
share that exists on the Operations Master (where Desktop
Authority is installed to). The folder ScriptLogic
Manager\DesktopAuthority is shared as SLDACLIENT. This default
location can be changed to an alternate path to accommodate
clients located over slow WAN links. Specify the new path and copy
the contents of the Desktop Authority folder to this new path. Click
to select an existing path.
Note: The specified Alternate location is not updated when
newer versions of Desktop Authority are installed. It must
manually be updated by copying the updated files from the
SLDACLIENT$ share into the Alternate location upon
completion of the installation.
Access Control
The Access Control List allows permissions to be controlled for
Remote Management sessions.
User or Group
Specify a valid User or Group to grant Remote Management
permissions to.
Change user credentials for 9x machines
In order to run the remote management component on a 9x
machine, a specific User must be used in order for the Remote
Management session to log onto the workstation. The default
Username for the remote control session is the NetBIOS computer
name. The default password is DesktopAuthority. This Username
and Password may be customized. To change the default username
and password, check the Change user credentials for 9x machines
box to create a new Username and Password for the Remote
Management session to use.
9x User Name
Specify the new 9x User Name.
9x Password
Specify the new 9x Password.
417
Administrator's Guide
Permissions
Login
Anyone with any sort of access to Desktop Authority is implicitly granted Login
access. This allows for looking at the Info page, reading the Help file, chatting with
the user in front of the computer, and logging out.
Configuration
Users with access to the Configuration module have access to all Basic
permissions plus Computer Settings > Automatic Priorities, Server Functions > FTP
capabilities, Performance Monitoring > Telnet/SSH Connections, Security > IP
configurations and Preferences. Keep this in mind this grants users access to
modifying Desktop Authority permissions.
Scripts
Users can execute, create, change or delete scripts.
Event Viewer
Allows the use of the Event Viewer module under Computer Management.
File System
Allows the use of the File Transfer module, Computer Management > File Manager
and Security > Desktop Authority Logs.
Registry
Allows for editing and compacting of the registry under Computer Management.
Performance Data
Ability to view performance and system information data under Performance
Monitoring. Processes Allows access to the Process List, and adds the ability to
terminate processes and/or change their priorities. These items can be found under
Computer Management.
Processes
Ability to view Processes data under Computer Management.
Reboot
Allows rebooting the computer and restarting the Desktop Authority service. This
section can be found under Computer Management.
Remote Control
Allows use of both the screenshot-based and the Java-based Remote Control
module.
User/Group Accounts
Allows the use of the User Manager module found under the Computer
Management section.
System Configuration
Allows the user access to Computer Settings.
SSH Shell
Allows access to a command prompt on the host computer via the SSH protocol.
418
Reference
SSH Port Forward
Grants the user rights to use SSH Port Forwarding.
SSH Privileged Port Forward
Grants the user rights to use SSH Privileged Port Forwarding.
SCP
Grants the user rights to use SCP (Secure file Copy Protocol).
SFTP
Allows the user access to the file system of the host computer via the SFTP
(Secure File Transfer Protocol).
Telnet (DA Client)
Allows the user to use the secured telnet client found in the browser under the
Command Prompt item.
Telnet
Allows access to the machine via Telnet - either using the built-in telnet client or
any standalone terminal emulator.
Click Select All to mark all permissions. Click Deselect All to clear
all permissions.
Grant full control to administrators
Select this check box to allow all administrators access to start a
remote management session. Clear this check box to disable
administrators default access to remotely manage workstations.
Explicit permissions must be granted to users who will have access
to start a remote management session.
Ask permission from the interactive user
Select this check box to enable the Desktop Authority system tray
icon and request permission from the user at the workstation when
a remote management session is to be started. Enabling the system
tray icon also enables the ability to use the Chat function. If this box
is cleared there will be no indication at a workstation when a remote
control session is started. The Chat function will also be disabled.
Open port in Windows Firewall to allow remote management
Select this check box to open the port that allows a remote
management connection.
419
Administrator's Guide
Enable Remote Registry Service (must be enabled for Vista)
Select this box,
, to turn on the Remote Registry service on
desktops. This is required for use of Remote Management on Vista
clients as the service is turned off by default. Turning on this service
enables the Desktop Authority Manager to determine the status of
the DA Remote Management service.
Select this box to set the Remote Registry service startup type to
, to set the
automatic and the service is started. Clear this box,
Remote Registry service startup type to manual and the service is
, to leave the startup type and
stopped. Gray the check box,
service status as is.
Advanced
Select the Advanced tab for further Remote Management settings.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
*This feature is a purchasable option for Desktop Authority. This
option is not available with Desktop Authority Express. Desktop
Authority users must upgrade to Desktop Authority in order to
purchase this option.
420
Reference
REMOTE MANAGEMENT ADVANCED SETTINGS
The Remote Management Advanced tab provides several advanced
settings for Remote Management. The Advanced settings are
comprised of several options pertaining to General, Interactive user's
permission, Security, Audible notification, Logging, and IP Filtering
settings.
General
Use mirror display driver
Desktop Authority provides a mirror display driver on the W2K/XP
platforms. This display driver provides a faster and less CPUintensive remote control session. Select this check box to use the
mirror display driver. Clear this check box to disable the use of the
mirror driver.
421
Administrator's Guide
Automatically disable wallpaper
Select this check box to disable the wallpaper (or background
desktop image) on the host computer when a remote control session
is started. Clear this check box to view the image during the remote
session.
Clipboard transfer size
The Remote Management host software provides the ability to
transfer clipboards between host and client machines, allowing the
ability to copy from one machine and paste on the other.
Specify the maximum number of kilobytes (KB) that can be
transferred between machines. The default size is 1024 KB.
Transferring significantly larger amounts may cause slowdowns. The
maximum limit is 8 MB in both directions. If the clipboard is larger
than the maximum limit nothing will be transferred.
Idle time allowed
Specify the number of minutes a remote host may be inactive for. If
a period of inactivity is determined, the client will automatically be
disconnected from the remote session.
Screen shot updates per second
Specify the number of times the display is to be updated each
second.
Enable Remote printing
Select this check box to enable the ability to print remotely. Clear
this check box to disable the ability to print remotely.
Interactive user's permission
Warning text
Enter the confirmation text to be presented to the host when a
remote control session is about to begin. The string '%%user%%'
will be substituted by the name of the user who is attempting the
remote control operation.
Duration of warning in seconds
Specify the amount of time before the notification message to the
host times out.
If warning times out, allow remote control anyway
Select this check box to allow remote control access to a host when
the local user does not answer the query for access. Clear this check
box to cancel the query for access to the host when the local user
does not answer.
422
Reference
Display notification during remote control
When a remote session is in progress, a small window in the top
right corner of the remote screen is displayed stating who is
currently remotely connected to the machine. Select this check box
to have this remote management notification displayed during the
remote session. Clear the check box to display no connection
notification dialog during the remote session.
Do not ask permission if admin has full control
Select this check box to allow immediate remote control access
without requesting permission from the host. This is only possible if
the user requesting remote access has Full control permissions.
Clear this check box to disable this ability.
Security
Disable host keyboard and mouse
Select this check box to disable the host's keyboard and mouse
during the remote session. This will prevent the host user from
using the keyboard or mouse while the remote control session is in
progress. Clear this check box to enable the host's keyboard and
mouse during the remote control session.
Lock console when connection broken
Select this check box to lock the console in order to protect open
files, if, due to a network error, the Java remote control client loses
its connection to the server. Clear this check box to leave console as
is when the connection is broken.
Lock console when connection times out
Select this check box to lock the console in order to protect open
files, if the connection times out. Clear this check box to leave client
as is when the connection times out.
Always lock console when remote control disconnects
Select this check box to lock the console when the remote session
ends. Clear this check box to leave client as is when the remote
session ends.
Blank host screen (non Vista desktops only)
Select this check box to blank the display on the host computer
during a remote control session. This is useful for preventing user
interaction while remote work is in process.
423
Administrator's Guide
Audible notification
Beep whenever a session begins or ends
Select this check box to have an audible beep on the host computer
when a remote control session is initiated or ended.
Beep continuously during remote control
Select this check box to have a periodic audible beep on the host
computer during the remote control session.
Beep interval in seconds
Specify an interval for the periodic beep during the remote control
session. The beep interval is specified in seconds.
Logging
Keep logs for
Specify the number of days in which log files will be kept for. Set to
zero to disallow the system from deleting any log files. Log files can
be deleted manually from the specified log file location.
Log file location
Specify the folder where log files will be stored. Leaving the check
box empty will cause the log files to be stored in the x:\Program
Files\Desktop Authority folder on the host machine.
IP Filtering
The Remote Management IP address filtering feature allows the
configuration of exactly which computers are allowed to access the
Remote Management system. Click Add to add a new IP Filter to the
list. Click Modify to edit an existing IP Filter. Click Delete to remove
an existing IP Filter from the list.
Type
Select Allow or Deny from the type list. Allow specifies that access
will be granted to the defined IP address. Deny will refuse access to
the IP address specified.
Address/Subnet
Enter either a single IP address with no subnet mask, an IP address
with a subnet mask, essentially granting or denying access for a
whole network, or an IP address with wildcards and no subnet mask.
Valid wildcards are an asterisk (*) that matches any number of
characters, or a question mark (?), that matches a single character
only.
424
Reference
SECURITY POLICIES
The Security Policies object allows user security settings to be
centrally configured. Security policies can be set for individual users or
computers.
User policies are registry entries stored to the [HKey_Current_User]
registry hive. This registry hive is stored in the user’s profile*. On
Windows NT/2000/XP/2003/2008/Vista operating systems, each user
has an individual user profile. On Windows 95/98/Me computers, all
users share a common user profile, unless individual user profiles have
been enabled through Control Panel*.
Computer-specific policies are registry entries stored to the
[HKey_Local_Machine] registry hive. This type of policy will affect
every person that uses the computer. An example of this type of policy
would be Computer: Force 9X Domain Logon. Computer-specific
policies are indicated by the "Computer:" preface in the policy list.
When a Policy is enabled, it remains in effect until you specifically
disable it or select the Clear all existing policies first option. Once you
configure the security policy to be disabled using either of these two
methods, the user must log on one more time so that Desktop
Authority may apply the "disabled" setting to the computer.
Security Policies are registry settings. Deleting a Policy entry
from the list will leave the policy in effect whether it is enabled
or disabled. To clear the policy setting, you must reset the
policy in the list or check the Clear all existing policies first box.
425
Administrator's Guide
Settings
Enable/Disable
Select Enable or Disable from the list to enable or disable a security
policy.
Category
Select a specific policy area from the Category list for a security
policy to be set. The available categories are: (All Policies), Active
Desktop, Computer, Explorer, Internet Explorer, Network, System
and WinOldApp. (All Policies) will display policies for all categories.
WinOldApp provides policy settings for MS-DOS apps.
Selecting a policy category will filter the policy selection list below
the category.
Policy
Select a policy from the list. This list is filtered based on the policy
category chosen. To see all policies, select the (All Policies)
category.
User Account Control (UAC)
Select the User Account Control (UAC) tab for Security Policy
settings pertaining to UAC on Microsoft Windows Vista and 2008.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
*Windows 95, 98, Me and NT4 clients are no longer supported.
426
Reference
SERVICE PACK DEPLOYMENT
The Service Pack Deployment object allows you to deploy service
packs for all NT/2000/XP/Vista clients.
A few items to note regarding service pack deployment:
•
Desktop Authority will only install service packs to
NT/2000/XP/Vista clients if connected over a LAN connection.
The Connection validation logic is disabled.
•
Desktop Authority will never attempt to install service packs to
any NT/2000/2003/2008 servers (or Terminal Servers).
•
Desktop Authority will never downgrade the currently installed
service pack on a computer. Desktop Authority will only install
the requested service pack if the client has an older or no
service pack installed.
•
Desktop Authority will not attempt to install the requested
service pack if the client does not have enough available disk
space on the drive that hosts the %TEMP% folder. The engine
determines the amount of available disk space before the
service pack is installed. By default, 1.5G (1500mb) of disk
space must be available to install any service pack. This default
can be overridden by defining a value in the global or profile
definition file.
The variable #ServicePackFreeSpaceNeededInMB is used to
override the available disk space amount. Select Global Options
> Definitions or select the Definitions tab on the profile's
settings.
Example:
#ServicePackFreeSpaceNeededInMB="1000"
•
Desktop Authority will run all service packs in unattended
mode, will force the computer to close other programs when it
shuts down, and will not back up files for uninstall purposes.
•
Desktop Authority will not install service packs on any Windows
Embedded operating system.
Desktop Authority can bypass the automatic installation of
service packs on specific computers. If you have specific
computers that you would never like Desktop Authority to
install a service pack on (such as a development station),
create a file called SLNOCSD in the root directory of the System
Drive. This allows you to generally apply service packs based
on Validation Logic, while providing for special-case exemptions
based on individual systems.
427
Administrator's Guide
Settings
OS Version
Select an Operating System version from the list. Valid selections
are Windows 2000, Windows NT 4, Windows Vista and Windows XP.
OS Language
Select a language from the list. This language should specify the
dialect of the operating system installed on the client as well as the
service pack. If the languages do not match, the service pack will
not be installed.
Update To
From the list, select the service pack to be deployed. Service Packs
displayed in the list are filtered based on the OS Version selected.
Location of Update.exe
Enter the complete path and filename where the Update.exe
executable exists or click
to locate the executable’s path.
Windows Vista uses spinstall.exe, not update.exe for the
service pack install executable.
Example:
\\server1\installs\W2KSP1\Update.exe
The executable file downloaded from Microsoft is an archive
that must be extracted at a command line by using the -x
switch. This will extract the service pack into multiple folders
among which you will find update.exe.
428
Reference
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element. Service Packs may only be applied to computers classified as
a Desktop or Portable. Operating System and Connection type are
disabled.
Description
Select the Description tab to set the description for this element.
429
Administrator's Guide
SHORTCUTS
The Shortcuts object provides the ability to centrally define shortcuts
to be used on the client’s machine. A shortcut is a pointer to an
application or folder. Once the shortcut is created, the user will never
have to remember the details to access the referenced program or
folder again. They simply run the shortcut.
Settings
Action
Select Create Shortcut or Remove Shortcut from the Action list.
Overwrite
Select this check box to overwrite an existing shortcut if it exists in
the same location with the same name. Clearing the check box will
not overwrite the shortcut if it exists.
Shortcut Name
Enter a name for the shortcut. This name will appear below the icon
for the shortcut. This field is required.
430
Reference
Shortcut Location
Specify the folder where the shortcut will be created or removed
from. Type a location or select one from the list.
A location may also be specified by a dynamic variable, environment
variable or macro which is translated by Desktop Authority during
the client logon process.
Example:
[$ShellProg\Shared Documents\Employee Manual]
When Desktop Authority executes on the client, $ShellProg will be
populated with the location of the user’s Start Menu Programs
folder, for example: C:\Windows\Start Menu\Programs or
D:\WinNT\Profiles\bclinton\Start Menu\Programs.
If the specified folder for the shortcut does not exist when Desktop
Authority attempts to create the shortcut, the folder will
automatically be created during the client logon process.
Target
Specify the program or folder location that the shortcut will point to.
The target program may be located by clicking
shared folder. This field is required.
if it exists in a
Arguments
Specify any optional command line parameters for the selected
target program.
If you need to pass a reserved character (@, $, or %) to a
program, you must double the reserved character within the
Desktop Authority Manager. For example, if the program
requires /@u-username as a command line argument, type
/@@u-$UserID in the arguments field.
Start In
Some programs need to reference other files in a specific folder. In
order for the shortcut to find these files, the folder must be
. In most cases this field
specified. Type the folder name or click
will contain the path used in the Target field. This field is required.
Shortcut Comment
Enter a text description for the shortcut. This is displayed on the
shortcut properties dialog.
431
Administrator's Guide
Icon File
Specify the icon file to display for the shortcut. An icon, icon library
or program file may be specified. If there is more than one icon in
the file specified, enter the icon number in the Index entry. An icon
file may be selected by clicking
.
Shortcut Key
Specify the keyboard combination that will be used to start or switch
to the target application. Shortcut keys are always a combination of
the CTRL key plus the ALT key and then one other key to add to the
sequence.
For example, to specify a shortcut key of CTRL + ALT+ T, enter the
letter T in the field. Set the field to None to disable the shortcut key
by pressing the BACKSPACE key.
The ESC, Enter, TAB, Spacebar, Print Screen or Backspace keys are
not allowed as shortcut keys. If this shortcut key conflicts with a
keyboard shortcut in another Windows application, the keyboard
shortcut in the other Windows application will not work.
Run Window
Select a window option from the list. This defines the style of the
window the application will initially execute in. Select from Normal
Window, Minimized Window, or Maximized Window.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
432
Reference
Example
One way to make use of shortcuts is to create a shortcut in your user's
Internet Explorer Favorites. This example demonstrates how to create
the Favorites shortcut.
433
Administrator's Guide
MSI PACKAGES*
The MSI Packages object is used to configure the deployment of
applications throughout the enterprise. The MSI Packages object
supports the deployment of Windows Installer MSI, MST and MSP
packages. Using a Windows Installer package ensures that applications
are installed, updated and uninstalled in a consistent manner
throughout the enterprise.
The MSI Packages settings tab provides the interface to select a
previously published package and one or more transfer files, and add
desired Windows Installer command line options. In addition, you can
choose to distribution server that will serve the package to the
desktops that validate for this configuration element.
Packages may be installed/uninstalled asynchronously or
synchronously and they may be installed without user notification
(silent), if desired.
434
Reference
Settings
Package Information
The package information box displays information regarding the
selected package. Product Name, File Name, Manufacturer, Version,
Product Code and File Size information are displayed.
435
Administrator's Guide
Select Package
Click Select Package to choose a package from a list of published
packages. When clicked, a popup list is displayed with packages
available for selection.
Action
Select Install or Uninstall from the Action list to define the action for
the MSI Packages element.
Asynchronous
Select this box to run the MSI installation asynchronously. In
asynchronous mode, the installation will run at the same time as
others. If this check box is cleared, applications will install one after
another. Each installation must complete before the next one will
begin.
Silent
Select this box to execute the desired action on the selected
package without displaying any user interface to the end user. Clear
the box to display the full user interface from the MSI to the end
user.
Published Transform Files
Transform files provide configuration settings to be used during the
installation of a package. One use of a Transform file is to
automatically provide responses to prompts during the installation,
for example, to provide an installation path or serial number, so the
end user does not have to.
To enable the use of Transform files, there must be at least one
published MST. MST files are published within the Software
Management global object. Both the Add and Delete buttons will be
disabled if there are no published MST files in the software
repository.
Click Add to use one or more transform files to the Transform Files
list. Click Delete to remove selected transform files from the
Transform Files list.
436
Reference
Additional Command Line Options
MSIEXEC, the Windows Installer executable program installs
packages and products, is called to deploy Windows Installer files.
Based on the configurations for the MSI Packages object, specific
command line options are passed to MSIEXEC. To use additional
command line options, enter the switches in this box. For example,
entering /norestart will not allow the computer to restart following
the install/uninstall, even if the MSI calls for it. All switches entered
into this box will be passed to MSIEXEC in addition to any command
options that are part of the MSI Packages configurations.
Note: Using additional command line options will prevent
reporting on the Installer file.
Distribution servers
Select Automatic Selection to copy the Windows Installer packages
to the client from the auto-selected server. Select Use specific
server to define a specific server to copy the Windows Installer
package file from. Separate multiple server names using a
semicolon (;).
For configuration information on the Update Service, see What is the
Update Service?
If requested packages are not available on the client machine,
suspend the logon/logoff process until they are downloaded.
Select this box to copy the necessary file if it does not exist on the
client. This request is sent to a server that is a designated download
server. Once requested, the Installer file will be copied (if
necessary) and duplicated on the distribution server.
Any client that requests the same Installer file from a distribution
server following the duplication of the Installer file will receive the
file for installation.
Clear this box to continue processing if the Installer file does not
exist at the specified location. The client will check for the file during
future logons until it can be installed successfully.
437
Administrator's Guide
User Options
Select the User Options tab to set the configuration settings that
allow a user to defer a package installation on the workstation to
another logon.
Defer Patches Option
Allow user to defer packages (affects synchronous
installations only)
Select this box to allow the end user to defer the installation
of a package to another session. The ability to Defer a
Package only applies to synchronous installations only.
Number of times the user can defer package installation
before it is forced
Enter the number of times a user can defer the package
installation. Once the package has been deferred the selected
number of times, the installation will no longer be allowed to
be deferred and the package will automatically be installed.
Length of time in seconds for the user to respond before the
package is installed
Enter the number of seconds the user has to respond to the
defer package installation dialog. If there is no response to
the dialog and the number of seconds expires, the package
will automatically be installed.
Hide all progress indicators
Select this box to hide the package deployment progress
indicators. These include the machine assessment dialog as well as
package download and install/uninstall dialogs.
438
Reference
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
*This feature is a purchasable option for Desktop Authority. This
option is not available with Desktop Authority Express. Desktop
Authority users must upgrade to Desktop Authority in order to
purchase this option.
439
Administrator's Guide
TIME SYNCHRONIZATION
Keeping client workstation times synchronized is simple to configure
using the Time Synchronization dialog box. This synchronizes each
workstation’s clock with a specified server. When the client logs on the
network, the time is automatically adjusted to match the server’s time.
Settings
Time Server
Enter the name of the Time Server which the client will by
synchronized with. Type the server name or click
select a server.
to locate and
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
440
Reference
USB/PORT SECURITY*
Overview
The myriad of portable storage mediums today make it essential for
corporations to prohibit or monitor the use of certain devices on the
company network. These devices can be very harmful to a corporation.
Confidential data can easily be copied to any portable device, viruses
can be introduced to the network and be spread corporate wide and
illegal software can be copied to the company network.
Since most portable devices are small in size it is simple for any
employee to use these devices regardless of a written or verbal
company policy. The users' ability to use these devices and/or transfer
data to and from these devices must be restricted. The USB/Port
Security object will do just this.
Desktop Authority locks down over 20 different types of ports and
devices where data may enter or leave the desktop using granular
read/write permissions.
441
Administrator's Guide
Devices
USB/Port Security can set permissions for the following devices:
Ports (if you deny full control on a port, all devices
attached to it will be unavailable)
•
BlueTooth Controllers
•
FireWire (1394) Controllers
•
Infrared Ports
•
Modems
•
Parallel Ports
•
PCMCIA/Cardbus Controllers
•
Serial Ports
•
USB Ports
•
WiFi Devices
Removable Storage – Read and/or Write
•
CD/DVD Readers/Writers – Read and/or Write
•
Firewire (1394) Storage – Read and/or Write
•
Floppy Disks – Read and/or Write
•
Hard Disk Drives *** – Read and/or Write
•
IoMega devices (Zip/Jaz Drives) – Read and/or
Write
•
MP3 Players **
•
USB Storage – Read and/or Write
PDAs
442
•
BlackBerry Devices
•
PocketPC Devices
•
Palm Devices
Reference
Imaging
•
USB Printers
•
USB Scanners
All other USB devices that are not classified as any of the
above device types will be deemed an Unclassified USB
Device.
** Uses a database of well-known MP3 players supplied
by Desktop Authority, which can be extended by altering
the C:\Program
Files\ScriptLogic\PortSecurity\EmbargoDeviceClasses.xml
file on each desktop
*** Does not include partitions containing virtual
memory, boot files or Windows system files
Settings
443
Administrator's Guide
Note: USB/Port Security configurations require clients to be
running Update Rollup 1 for Windows 2000 SP4 or Windows XP
SP2.
Action
Select Install or Remove from the Action list. An Install action will
update the client workstation with the processes necessary to poll
and allow and deny access to devices. A Remove action will uninstall
all USB/Port Security client-side files and permissions.
Desktop Options
Show Desktop Task Bar Icon
Select this check box to display an icon in the notification area, at
the far right of the taskbar of the client workstation. The icon
indicates that USB/Port Security is actively watching client devices.
Show Balloons on Desktop
Select this check box to enable pop up device alerts in the
notification area, at the far right of the taskbar on the client
workstation.
Permission Sets
A Permission Set is a container that defines a set of devices and the
type of access that is allowed for each device. Once a Permission
Set is created, Users/Groups are assigned to the Permission Set. By
default, all device types are given full control permissions when the
permission set is created. The Permission Sets list shows all of the
sets of rules which have been configured for certain removable
storage devices.
Validation Logic is used to determine which desktop computers will
be configured with a given Permission Set. The Permission Set
defines a permanent access control list for all portable devices on
those desktop computers that match the Validation Logic. The
access control list is enforced for all users and groups in the
enterprise, regardless of who logged in and caused the permission
set to be applied. The access control list remains in effect until a
different permission set is applied to the desktop computer. Best
practices will use Validation Logic to apply a Permission Set per
computer or group of computers rather than by user since the
Permission Set is enforced for all users and groups that
subsequently access the desktop computer.
444
Reference
An explicit deny for a device type within a Permission Set will
always supersede an explicit allow within another Permission
Set in the same element. If a user validates for an element
(containing multiple Permission Sets) that both denies and
grants him/her access to a certain type of device, he/she will
be denied access to that type of device. If a Permission Set
does not explicitly grant a user permission to access a type of
device, that user will automatically be denied access to that
device type.
Edit Permission Sets
Click Edit Permission Sets to define a rule that authorizes certain
removable storage devices and the specific type of access that is
allowed.
Users/Groups
The Users/Groups list shows the Users and/or Groups that have
been authorized for the selected Permission set.
Add Users/Groups
Click Add Users/Groups to add Users and/or Groups to the selected
Permission set. A Permission set must be created before any users
and/or groups can be assigned to it.
Delete Users/Groups
Click Delete Users/Groups to remove the set of Users and/or
Groups from the selected Permission set.
USB Device Exceptions
The USB/Port Security USB Device Exceptions tab provides a way to
define a list of specific devices that are allowed/prohibited in to the
Enterprise environment. Every USB device has a Vendor ID (VID) and
Product ID (PID) to uniquely identify the device. These IDs are unique
16-bit numbers assigned to a specific vendor and product and are used
for auto-detection, installation and configuration of the device to the
machine.
445
Administrator's Guide
Finding the VID/PID and Serial Number of a device
To look up the VID and PID of a device, go to the Device Manager.
Locate the device in the list of components. Right-click on it and
choose Properties. From the Properties dialog, select the Details tab.
The VID and PID identifiers can be found within the Device Instance
Id as shown above.
446
Reference
Allow only these devices
This list contains all devices that are allowed in the Enterprise's
environment. Click Add to add a device to the list. When adding a
device to the list the VID and PID numbers are required. The serial
number of the device and description is optional. Click Modify to
change the PID, VID, Serial number and/or description. Click
Remove to delete the device from the list.
Devices can also be listed in a Comma-Separated file (CSV) with the
VID,PID,Serial Number,Description. Click Import to read the file
into the list.
Click Export to write the devices in the list to a Comma-Separated
file (CSV).
Always deny these devices
This list contains all devices that are prohibited from being used in
the Enterprise's environment. Click Add to add a device to the list.
When adding a device to the list the VID and PID numbers are
required. The serial number of the device and description is
optional. Click Modify to change the PID, VID, Serial number and/or
description. Click Remove to delete the device from the list.
Devices can also be listed in a Comma-Separated file (CSV) with the
VID,PID,Serial Number,Description. Click Import to read the file
into the list.
Click Export to write the devices in the list to a Comma-Separated
file (CSV).
447
Administrator's Guide
Administrative Override
Select the USB/Port Security Administrative Override tab to configure
a password for the ability to temporarily override restricted device
settings on the client computer.
Enter an administrative password on this dialog. This password can be
used in the USB/Port Security service on the client computer.
On the client, right-click the USB/Port Security icon and select will give
the user a new menu option to Disable Restrictions. If the correct
password is entered, restrictions are lifted for the remainder of the
user session.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
If a user validates for multiple USB/Port Security elements, only the
last element will be applied. The permissions in all permission sets for
the validated USB/Port Security elements are summed to produce a
"most restrictive" access control list.
Description
Select the Description tab to set the description for this element.
*This feature is a purchasable option for Desktop Authority. This
option is not available with Desktop Authority Express. Desktop
Authority users must upgrade to Desktop Authority in order to
purchase this option.
448
Reference
WINDOWS FIREWALL
The Windows Firewall object allows Microsoft's Windows Firewall to
be enabled or disabled on any validated computer having the Windows
XP SP2 operating system installed. The ability to specify certain port
and program exceptions is also specified on this object's setting tab.
Windows Firewall is only applicable on Windows XP SP2 or greater.
Settings
Windows Firewall
Select an action (Enable/Disable) from the Windows Firewall list to
configure the Windows Firewall component.
The Exceptions list is a holding place for all Firewall port and
program exceptions. Click Add to add a new port or program to the
Exception list. Click Modify to edit an existing port or program on
the list. Click Delete to remove a configured port or program from
the Exception list.
449
Administrator's Guide
Action
Select Open or Close from the Action list. This will configure the
specified port to be opened or closed for incoming traffic.
Exception Type
Select TCP, UDP or Program from the Protocol list to specify the type
of port or program to be configured.
Port
When the Exception Type is set to TCP or UDP, type the port
number to be opened or closed.
Image Path
When the Exception Type is set to Program, specify the path to the
executable program.
Description
Type a meaningful description or reason for the exception in the
Description box.
Scope
Select Any Computer, My Network (subnet) only or Custom List from
the Scope list. Any Computer specifies that incoming traffic on the
port is allowed regardless of where it is coming from. My Network
(subnet) only specifies that incoming traffic on the specified port is
allowed only if the request is coming from the local network. Custom
List specifies that incoming traffic from any computer specified in
the custom list is allowed. Delineate the custom list of IP addresses
by commas.
450
Reference
Display a notification when Windows Firewall blocks a program
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to display a visual notification to the user
when the Firewall blocks a program from accepting an incoming
request. The notification dialog box will allow the user to determine
if the Windows Firewall should allow the program to keep blocking
the program or to allow incoming requests to the program. Clear
this check box for no visual notification or occur. Gray the box to
leave the client’s setting untouched.
Enable File and Print sharing
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this check box to enable File and Print sharing on each
validated client. Clear this box to disable File and Print sharing on
each validated client. Gray the box to leave the client’s setting
untouched.
Don't allow exceptions (inbound firewall only)
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this box to disallow all excepted traffic specified in the
exceptions list. Clear this box to allow traffic. Gray the box to leave
the client’s setting untouched.
Advanced
Select the Advanced tab to configure settings for Windows Firewall
ICMP (Internet Control Message Protocol) and default firewall filters.
This tab allows specific types of ICMP messages to be enabled or
disabled for Windows XP SP2 or greater. Default filters can de set for
Windows Vista or greater.
Validation Logic
Select the Validation Logic tab to set the validation rules for this
element.
Description
Select the Description tab to set the description for this element.
451
Administrator's Guide
WINDOWS FIREWALL ADVANCED
The Windows Firewall Advanced tab allows specific types of ICMP
(Internet Control Message Protocol) messages to be enabled or
disabled. Default filters can also be set on the Advanced tab.
ICMP messages are used for diagnostics and troubleshooting. The
requests listed below are types of requests that the computer may or
may not need to respond to. Select each Internet request type that
the computer will respond to. Clear each Internet request type that the
computer will not respond to.
ICMP Settings (Windows XP SP2 or greater)
Allow incoming echo request
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this request type to force any messages sent to this computer
to be repeated back to the sender. Clear this box to not allow
incoming echo requests. Gray the check box to leave the client’s
setting untouched.
The default for this option is grayed.
452
Reference
Allow incoming timestamp request
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this request type to send an acknowledgement message
(containing the time the data was received) back to the sender.
Clear this box to not allow incoming timestamp requests. Gray the
check box to leave the client’s setting untouched.
The default for this option is grayed.
Allow incoming mask request
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this request type to enable the computer to listen for and
respond to requests for more information about the network to
which it is connected to. Clear this box to not allow incoming mask
requests. Gray the check box to leave the client’s setting untouched.
The default for this option is grayed.
Allow incoming router request
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this request type for the computer to respond to requests for
information about the routes it recognizes. Clear this box to not
allow incoming router requests. Gray the check box to leave the
client’s setting untouched.
The default for this option is grayed.
Allow outgoing destination unreachable
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Select this request type to discard and acknowledge that sent data
failed to reach the computer. Clear this box to not allow outgoing
destination unreachable acknowledgements. Gray the check box to
leave the client’s setting untouched.
The default for this option is grayed.
453
Administrator's Guide
Allow outgoing source quench
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
If the computers ability to process incoming data cannot keep up
with the data coming in, excess data will be dropped and a request
will be sent to the sender to transmit the data at a slower pace.
Select this box to allow the computer to transmit slower. Clear this
box to not allow the computer to quench outgoing data. Gray the
check box to leave the client’s setting untouched.
The default for this option is grayed.
Allow outgoing parameter problem
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
If the computer receives bad header data, a reply will be sent with a
"bad header" error message. Clear the box to not allow an outgoing
error replies. Gray the check box to leave the client’s setting
untouched.
The default for this option is grayed.
Allow outgoing time exceeded
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
If the computer discards data due to a timing issue, a reply will be
sent with a "time expired" error message. Select this box to allow
the outgoing error message. Clear this box to not allow an outgoing
"time expired" error message. Gray the check box to leave the
client’s setting untouched.
The default for this option is grayed.
Allow redirect
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
Data sent from this computer will be rerouted if the default path
changes. Select this box to allow the data to be rerouted. Clear the
box to disallow the data route to be changed. Gray the check box to
leave the client’s setting untouched.
The default for this option is grayed.
454
Reference
Allow outgoing packet redirect
This check box can be set to one of three (3) different states: on
, off (disabled)
, or grayed (preserve client setting)
(enabled)
.
When received data blocks are too big for this computer to forward,
a reply will be sent with a "packet too big" error message. Select
this box to allow the error message to be sent. Clear the box to not
allow the error message to be sent. Gray the check box to leave the
client’s setting untouched.
The default for this option is grayed.
Default Filters (Windows Vista or greater)
Filters allow inbound and/or outbound traffic to be processed based on
the firewall exception rules. Default filters give the option to allow
these packets to be processed by the firewall, even if they do not
match any firewall rules.
Domain Profile
A rule in the Domain profile applies when a computer is connected
to a domain.
Allow inbound connections that do not match a rule
Check this box to allow an inbound connection request even if it
does not match a Domain profile rule. This check box can be set to
, off (disabled)
one of three (3) different states: on (enabled)
, or grayed (preserve client setting)
. Gray the check box to
leave the client’s setting untouched.
Allow outbound connections that do not match a rule
Check this box to allow an outbound connection request even if it
does not match a Domain profile rule. This check box can be set to
, off (disabled)
one of three (3) different states: on (enabled)
, or grayed (preserve client setting)
. Gray the check box to
leave the client’s setting untouched.
Private Profile
A rule in the Private profile applies when a computer is connected to
a private network location.
Allow inbound connections that do not match a rule
Check this box to allow an inbound connection request even if it
does not match a Private profile rule. This check box can be set to
, off (disabled)
one of three (3) different states: on (enabled)
, or grayed (preserve client setting)
. Gray the check box to
leave the client’s setting untouched.
455
Administrator's Guide
Allow outbound connections that do not match a rule
Check this box to allow an outbound connection request even if it
does not match a Private profile rule. This check box can be set to
, off (disabled)
one of three (3) different states: on (enabled)
, or grayed (preserve client setting)
. Gray the check box to
leave the client’s setting untouched.
Public Profile
A rule in the Public profile applies when a computer is connected to
a public network location.
Allow inbound connections that do not match a rule
Check this box to allow an inbound connection request even if it
does not match a Public profile rule. This check box can be set to
, off (disabled)
one of three (3) different states: on (enabled)
, or grayed (preserve client setting)
. Gray the check box to
leave the client’s setting untouched.
Allow outbound connections that do not match a rule
Check this box to allow an outbound connection request even if it
does not match a Public profile rule. This check box can be set to
, off (disabled)
one of three (3) different states: on (enabled)
, or grayed (preserve client setting)
. Gray the check box to
leave the client’s setting untouched.
456
Reference
Remote Management
REMOTE MANAGEMENT CLIENT*
Remote Manager Overview
Desktop Authority’s Remote Manager is the perfect choice for anyone
who has ever needed to access and control a PC or server from
elsewhere, be it from down the hall or from halfway around the world.
All that is required to control a PC or server is a web browser or WAPenabled wireless device.
The Remote Manager is a remote administration tool that lets you
control and administer Microsoft® Windows®-based computers over a
local area network or the Internet. Originally designed for network
administrators, the Remote Manager has evolved to offer a wide
variety of remote computing solutions for an equally wide variety of
users. Today, the Remote Manager provides many useful capabilities
such as Java-based desktop remote control, file transfer protocol (FTP)
for downloading and uploading of files, configuration of the host
computer, remote-to-local printing, advanced scripting, and dozens of
other features.
The Remote Manager acts as the host software on the machine that is
to be controlled or accessed. The client (the remote computer that is
used to access the host) requires no special software. The client
software is any Java-enabled web browser, such as Internet Explorer
(IE versions 5.0 or above) or Netscape Navigator (versions 3 or
above). Many Remote Control features can also be accessed and
controlled using such client software as that found in handheld PDAs
and WAP-enabled mobile telephones.
Deploying the Remote Manager
Using the Remote Management object, the host software can be
deployed to one or more workstations on the network. On the settings
tab, simply select the Install action, specify a port and set the
validation logic. Once the configurations are replicated and the specific
workstations log onto the network, the Remote Manager component
will be deployed.
For more detailed information on the Remote Management object, see
Using Desktop Authority.
457
Administrator's Guide
Remotely Accessing a Workstation
When the host software installation is complete, each workstation may
be accessed from any client machine using any Java-enabled web
browser. To access the host machine, open an Internet browser and
enter http://111.111.11.1:2000 on the Location/Address line. The
“111.111.11.1” represents the IP address of the host machine. The
“2000” represents the default port entered on the Remote
Management client configuration tab. The machine can also be
accessed by entering http://machinename:2000 at the
Location/Address line.
Example:
http://pc345-XP:2000
http://192.168.3.26:2000
http://192.168.3.26:5050
Logging In
After entering the URL into your browser and pressing enter, the
Remote Manager login screen will be displayed.
The user database is accessed for authentication. Initially, log on as
someone who is a member of the Local Administrators group. This
default behavior can be changed later by granting NT users or groups'
access to Remote Management. Change this by selecting Security
object in the Remote Manager navigation pane. Select Access Control
to change the permission settings.
458
Reference
NTLM
Logon using current Windows login credentials to verify your identity
on the host computer by clicking on the NTLM Login button. This
only works when accessing a Windows NT/2000 or XP computer. It
will use the current credentials (those entered at the NT logon
prompt on the computer running the browser) to identify the
computer to the remote computer. This is only available on local
networks.
Options
By clicking on the Show advanced options button in the login
window a number of additional options become available:
459
Administrator's Guide
Go directly to
Using the first three buttons selects whether to go directly into
Remote Control, to File Transfer & Synchronization or to the Main
Menu page (default).
Full and Light Interfaces
Choose between the full and light interfaces. The full interface is
for DHTML capable browsers. The light interface is more suitable
for old browsers or users with slow connections.
Bypassing the Login Screen
An NTLM login can be forced – and thus bypass the login screen
entirely – by appending /ntlm/ to the URL with which you access the
Remote Manager. For example, the URL http://MAILSERVER:2000
would become http://MAILSERVER:2000/ntlm/. Be careful not to
forget the trailing slash!
This method may also be used to bypass the menu system and access
certain parts of the Remote Control host directly. Here are some URLs
as an example:
Remote Control:
http://machine.name.here:2000/ntlm/remctrl.html
Command Prompt:
http://machine.name.here:2000/ntlm/telnet.html
Chat:
http://machine.name.here:2000/ntlm/chat.html
Similarly, specify a username and password in the URL – thus forcing a
normal login – by appending the credentials in a
"/login:username:password:domain/" form to the URL with which you
access the Remote Control host. For example, the URL
http://MAILSERVER:2000 would become
http://MAILSERVER:2000/login:username:password:domain/. Yet
again, be careful not to forget the trailing slash!
The domain is optional. If omitted, an attempt will be made to be
authenticated on the computer on which it’s running, then in the
domain to which it belongs. Here are some URLs as an example:
Remote Control:
http://your.machine.here:2000/login:yourloginname:yourpassword/remctrl.html
Command Prompt:
http://your.machine.here:2000/login:yourloginname:yourpassword/telnet.html
Chat:
http://your.machine.here:2000/login:yourloginname:yourpassword/chat.html
460
Reference
Accessing Desktop Authority through a firewall
Most corporations today employ certain security measures to protect
their computer networks from hostile intrusion. One of the common
measures includes creating a firewall. A firewall is a system designed
to prevent unauthorized access to a private (internal) network.
Firewalls can be implemented either as hardware or software, or a
combination of the two.
The most common use of a firewall is to prevent unauthorized
intrusion from Internet users attempting to access a private network
or Intranet. A firewall examines all traffic entering or leaving the
internal network/Intranet, ensuring that traffic meets security criteria
established by the Network Administrator.
The Remote Manager can be configured to work with a computer
protected by a firewall. This requires mapping an external, incoming
port on the firewall to the internal IP and port on the computer running
the Remote Control host.
From outside the LAN, gain access to the computer running the
Remote Control host by entering the router’s IP address and the port
to which the desired machine is mapped. For example:
Router:
External IP address: 111.111.111.111
Remote Control host:
IP address: 192.168.0.10, Port: 2000
(port 2000 is the default but this can also be changed)
Step 1: Map a firewall port to the Computer
In this case, pick a port on the router (say, 5200) and map it to
192.168.0.10:2000.
The procedure for mapping ports from routers to computers is
router-specific. Usually the router will have a web-based interface
that allows configuration and maintenance. Sometimes router
companies refer to this action as Port Forwarding or Port Mapping.
Step 2: Access the Remote Control Host through the firewall
Having done the above, fully access the Remote Control host with
the URL http://111.111.111.111:5200 - that is the firewall’s
external IP, followed by the port mapped to the Remote Control
host.
*This feature is not a standard part of Desktop Authority Express. To
obtain this feature, Desktop Authority Express must be upgraded to
the full version of Desktop Authority.
461
Administrator's Guide
USER INTERFACE
The user interface is designed to make using the Remote Manager
quick and easy to use. For details on each section follow the links
below.
The Menu
Every page of the Remote Control host can be reached from the left
hand menu tree of the Manager. The menu tree is expandable and
collapsible like Windows Explorer so you can find the pages you need
quickly.
The sub-sections of each item in the menu tree are labeled as follows:
•
Home
•
Remote Control
•
File Transfer
•
Help Desk Chat
•
Computer Management
•
Computer Settings
•
Server Functions
•
Scheduling & Alerts
•
Performance Monitoring
•
Security
•
Preferences
•
Custom Pages
Each of the expandable sections in the tree have sub-sections which
use the following icons for the sub-section pages.
The page contains data that can be modified. It is a configurable
page.
A page just displays data. Although you may be able to refresh the
page in order to get the latest data, you cannot interact with or in
anyway modify what is shown from this location.
462
Reference
Performance Data Viewer
On each page of the Remote Manager you can see a real-time
Performance Data Viewer. This java applet is to the right of the logo in
the top frame. It shows CPU load (green) and Memory load (red) and
is updated every few seconds so you can get instant feedback on the
effects of performance intensive processes.
This graph can be disabled under the Preferences object. Select
Appearance.
QuickLinks
QuickLinks are accessible from every page of the Remote Manager.
You can add your favorite pages to the QuickLinks drop down menu
wherever you see the star icon in the tool bar of the page you are
viewing. You can also edit your QuickLinks by clicking on -- Edit your
QuickLinks -- in the QuickLinks drop-down menu.
The QuickLinks menu is situated in the top frame of the page so that
your favorite pages are always only a click away. They are also listed
on the System Overview tab of Home page.
End Remote Session
You can complete the remote session by clicking the red End Remote
Session button in the top right corner of the screen, to the right of
your computer’s name. If you are inactive for 10 minutes you will be
logged out automatically. The session timeout time can be modified
under the Preferences object. Select Access Control.
Time
The time on the remote machine is displayed above the log out button.
The Main Content Window
The main content window is where you will do most of your interaction
with the host machine via the Remote Manager. For the most part this
should be self explanatory.
463
Administrator's Guide
On most pages you will see a tool bar at the top. Below is a quick key
to the buttons you’ll encounter on these toolbars.
Refresh
Paste
Permissions
Download
files
Delete
Rename
Execute
Find files
Cut
Edit
Create new
folder
Set sharing
properties
Copy
Change
attributes
Upload files
Create rule
System Tray Icon
The Remote Manager deploys a system tray icon on each client that
the Desktop Authority Remote Management service is deployed on.
The icon serves many purposes. This icon can be fully configured via
the Preferences object. Select Systray Settings.
The icon will blink whenever someone is accessing the computer using
a Remote Control host. Double-clicking the tray icon will bring up a
dialog that shows the most recent events that have occurred within
the Remote client.
Two other icons can be configured to be displayed in the system tray
as well. One is a memory usage indicator (in red), the other is a CPU
load indicator (in blue). These can be enabled and disabled at will.
A user sitting at a Windows XP host computer will be notified of remote
printing via a popup window.
Right-clicking the Desktop Authority icon will bring up a popup menu
with the following items:
Open Status Window
This is the default action. Choosing this is equivalent to doubleclicking the icon. Selecting this item displays the Desktop Authority
status window.
Open Desktop Authority
Select this menu item to load the Remote Manager on the local
machine using the default browser.
Enable/Disable Desktop Authority
Here you can turn the Desktop Authority service on and off at will.
464
Reference
Enable/Disable Status Indicators
Here you can enable or disable the memory and CPU usage
indicators.
Show Performance Windows
This menu provides a selection of performance indicators to display
on your desktop.
The menu selections displayed are based on the performance data
Desktop Authority is able to collect from the client. The software
automatically collects performance data on CPU usage (total and
broken down by individual CPU on SMP systems), and various memory
counters.
When you select an item from this menu, a window will pop up, similar
to this:
Double-clicking the performance window will shrink it to a smaller
format.
You can have as many of these windows up on your screen as you
want. They are persistent – that is, they will automatically appear in
their previous position following a reboot.
465
Administrator's Guide
HOME
Home is the page that you will see when you start up the Remote
Manager. Here you will find a useful at-a-glance System Overview.
More general information about the Desktop Authority itself is
available if you click on the About Desktop Authority tab.
System Overview tab
When you start up the Remote Manager you will see the System
Overview tab of the Remote Manager. It contains a multitude of useful
information about the host computer.
Welcome
At the top of the page you'll see a welcome message which displays
who you’re logged in as. The date and time of the host machine is
also displayed. If you click on the date and time (highlighted in blue)
you'll be taken to a page where you can set the time on that
machine. This page is also accessible under the Computer Settings
object. Select Time from the navigation tree.
Information about when the machine was last rebooted, how long
it’s been running, and how much data has been sent to how many
clients is also shown here.
Security
In the top right corner of the System Overview section of the
Remote Manager Home page you can see a summary of your
security data. This includes the authentication method used to log in
and information on the Secure Sockets Layer (SSL) connection.
QuickLinks
QuickLinks are designed to make access to frequently used features
quick and easy. Displayed in the blue box on the right hand side of
the home page, you can add any page of the Remote Manager to
QuickLinks so that your favorite or most often used sections are
always only a click away from log in.
QuickLinks are also displayed in a dropdown in the upper frame of
every page so you can always select your favorite pages quickly.
To add a QuickLink, just click on the QuickLinks icon, , which
appears on every page. To remove a QuickLink, select —Edit your
QuickLinks – from the drop down menu.
466
Reference
Performance
The performance graph details memory usage. Data about the
physical and committed memory are displayed in an easy to read
green and red graph.
Current Connections
Here you can see data on any current connections on the host
machine.
Most Recent Accesses
Here you can see information about the users who have most
recently accessed the Remote Manager on this computer.
System Information
Here you can see information on the computer itself, including the
current CPU utilization.
Operating System
An overview of the operating system of the accessed machine is
displayed here, including when it was installed.
Installed Hotfixes
Here you can see a list of the Hotfixes that have been installed on
the machine. Click on the Hotfix name for more information about
that particular Hotfix.
About Desktop Authority tab
Behind the System Overview tab you will see the About Desktop
Authority tab. Here you can find the system license information.
ScriptLogic.com
There is also a link to our site so you can find out more about this
and other products from ScriptLogic. Here you'll also find our
support pages, along with the popular Desktop Authority forums and
KnowledgeBase. If the answer isn't in the manual you may well find
it there.
Software License
The legal terms and conditions of your license are published here for
your reference. General copyright data is also displayed on this
page.
467
Administrator's Guide
REMOTE CONTROL
One of the main features of Desktop Authority’s Remote Manager is its
advanced ability to remotely control the computer on which it is
installed, thus enabling you to authentically replicate the experience of
sitting in front of the host computer — regardless of where you
actually are in the world.
When you select Remote Control a small Java applet is downloaded to
the client and will display the screen of the remote computer. Your
actions, such as keyboard usage and mouse movement are emulated
by Desktop Authority on the screen and on the remote computer. The
java applet downloads automatically. Depending on your browser
settings, you may see a popup window asking you to accept or reject
this. You should accept it in order to use Remote Control.
When typing or using your mouse it will be exactly as if you were
sitting in front of the remote machine. The only real difference will be
a few Desktop Authority specific tools which appear at the top of the
remote control window, detailed below.
The Menu
In the top left corner of the remote control screen you will see the
menu:
468
Reference
Menu
Send Ctrl-Alt-Del
Sending Ctrl-Alt-Delete cannot be captured by the applet, but you
can still send them via this menu item. Selecting this menu item will
immediately send the Ctrl-Alt-Del key sequence to the host
computer.
Send Special Keys
Certain keystrokes, such as Alt-Tab, cannot be captured by the
applet, but you can still send them via this menu item. If you select
Send Special Keys you will gain access to a whole list of special key
combinations you might want to send to the host computer.
Transfer Clipboard
Another useful option available from the menu is the ability to
transfer your clipboards between machines, thus allowing you to
copy from one machine and paste on the other.
For example, if you copy some text on the local machine, then
select Transfer Clipboard then Local to Host from the menu on
the remote screen. The same applies the other way around, but you
would select Host to Local in order to transfer your clipboard
between machines.
The limit is 8mb in both directions. If the clipboard is larger it won’t
do anything. On the MS JVM it only supports Unicode text. With Sun,
it also works with bitmaps.
Open Chat
Select Open Chat to initiate a chat session with the remote
computer.
View Connection Status dialog
Select View Connection Status dialog to view the status of the
connection with the remote computer.
469
Administrator's Guide
Full Screen
Also available in the menu is the Full Screen option. This detaches
the remote window allowing you greater flexibility. When in full
screen mode you can easily switch back to the standard Remote
Manager frame by selecting Exit Full Screen from the menu.
You can also do this with the close and maximize icons in the top
right corner of the remote window.
End Remote Control
Select this menu option to end the Remote Control session.
470
Reference
Screen
Display Properties
You can modify the remote screen’s display properties via the menu
as well. There are drop down menus for color quality and screen
resolution, as well as a zoom option that allows you to view the
screen all the way up to 300% of its original size.
For the best performance during remote control you should set the
remote machine’s screen resolution down to the lowest, still
convenient value.
It is also recommended that you do not use 16-bit (hi-color, 65536
colors) for the remote host’s display. Use either 256 colors or true
color. Converting 16-bit color bitmaps down to the internal format is
rather slow, and has an impact on performance.
Click
to set the dialog size to the same size as the host
computer. Click
dialog. Click
mode.
to fit the host computer dialog within the client's
to view the host computer in full screen
Ctrl-Alt-Del
Sending Ctrl-Alt-Delete cannot be captured by the applet, but you
can still send them via this menu item. Selecting this menu item will
immediately send the Ctrl-Alt-Del key sequence to the host
computer.
Network
Click Network to select the network type from the given drop list.
Select from Modem (56 Kbps), DSL (384 Kbps), WAN (2 Mbps), LAN
(10 Mbps) or Auto. Select the network type to optimize the remote
control session for the type of network chosen.
Display
Select the Number of Displays for host computers that are using
multiple monitors. This will allow the client to switch between the
monitors on the host computer during the Remote session.
Blank Display
Click Blank Display to blank the display on the host computer. This
is useful for preventing user interaction while remote work is in
process.
471
Administrator's Guide
Remote Notification
When you initiate a remote control session a notification message
will appear on the remote screen. If you do not have full
administrative rights on the remote machine, a user sitting there
would be invited to decline or accept the remote session, with a
default time of 10 seconds before you would be connected
automatically. You can configure both the message displayed and
the amount of time given to make a decision under the
Preferences object. Select Remote Control When a remote
session is in progress, a small window in the top right corner of the
remote screen is displayed stating who is currently remotely
connected to the machine. This message can also be configured
under the Preferences object. Select Remote Control.
Remote Printing
When connected to the remote machine, and if you have remote
printing enabled under Preferences [ Remote Control, that machine’s
default printer will temporarily become that of your local machine.
This means that should you choose to print anything from the
remote machine, you will receive it on your local printer.
A user sitting at the remote machine would be notified of this
change.
Remote Control Preferences
There are a number of special features you can use to configure
your remote control sessions under preferences. These are detailed
in the Preferences section towards the end of this chapter under the
Preferences object. Select Remote Control
Screenshot-based Remote Control
If the client you are using is not java-enabled, or for whatever
reason your connection is just too slow, you might want to make
use of Screenshot-based Remote Control.
In order to use this feature you’ll first need to set it as the default
for Remote Control under the Preferences object. Select Remote
Control.. You can switch back to Java Remote Control (the standard
for real-time control) any time, although you cannot switch from
Java straight to Screenshot-based.
If you have Screenshot-based Remote Control enabled, this is what
you’ll see when you click on Remote Control in the left hand menu:
The remote screen is a clickable image map, with which you can
interact right on the page to some extent (clicking on buttons, right
clicking) but for the most part you will have to use the toolbar at the
top.
472
Reference
To enter text on the remote screen, you have to enter it in the send
keys field in the toolbar and click send. Checking the box next to
this field enables you to enter special characters and simulate
special keys. Each key is represented by one or more characters. To
specify a single keyboard character, use the character itself. The
plus sign (+), caret (^), percent sign (%), tilde (~), and braces { }
have special meanings to this function. To specify one of these
characters, enclose it within braces ({}). For example, to specify the
plus sign, use {+}. To specify brace characters, use {{} and {}}.
To send special key combinations such as Ctrl+Alt+Delete, use the
drop down menu to the right of the send keys field.
To specify characters that aren't displayed when you press a key,
such as Enter or Tab, and keys that represent actions rather than
characters, use the codes shown below:
Key Code
Backspace {BACKSPACE}, {BS}, or BKSP}
Caps Lock {CAPSLOCK}
Del {DELETE} or {DEL}
Down Arrow {DOWN}
End {END}
Enter {ENTER} or ~ ESC {ESC}
Home {HOME}
Insert {INSERT} or {INS}
Left Arrow {LEFT}
Num Lock {NUMLOCK}
Page Down {PGDN}
Page Up {PGUP}
Right Arrow {RIGHT}
Scroll Lock {SCROLLLOCK}
Tab {TAB}
Up Arrow {UP}
F1 to F24 {F1} to {F24}
To specify keys combined with any combination of the Shift, Ctrl,
and Alt keys, precede the key code with one or more of the
following codes:
Key Code
Shift +
Ctrl ^
Alt %
For example, if you wanted to go to the beginning of an edit field,
select the entire line, place it on the clipboard, and overwrite it with
something else then hit Enter, you would type:
{HOME}+{END}^cThis is the new text {ENTER}
473
Administrator's Guide
This translates into pressing the Home key (going to the beginning
to the field), pressing the Shift and the End keys at the same time
(selecting the entire field), pressing Ctrl+C (clipboard copy), typing
the new text and then hitting Enter.
Click on the Java-based Remote Control icon in the toolbar to switch
to Java based Remote Control.
474
Reference
FILE TRANSFER
With Desktop Authority File Transfer you can quickly and securely
transfer files between the local and the remote computer. All data
transferred between the two computers is compressed and encrypted
by the Java applet, so you can be sure that it is secure. The file
transfer screen is divided into two panels. The left hand panel shows
the file system of the computer running the web browser. The right
panel displays the remote computer’s file system.
You can use the icons in the toolbar at the top of the screen or your
keyboard and mouse to operate the File Transfer applet. There’s
always an active and inactive panel and you can switch easily between
them with the Tab key.
475
Administrator's Guide
The available toolbar buttons are:
You can refresh the list with the Refresh button, or by pressing
F5.
You can go up to the parent directory by clicking on the Up
button, or by pressing Backspace.
To go to a different folder click on the Goto folder button, or
use the CTRL+G key combination.
You can create a new folder with the Create folder button or by
pressing CTRL+N.
You can delete a folder or file with the delete button, or by
pressing Delete on your keyboard.
You can rename a file or folder with the Rename button or by
pressing F2.
You can copy a file or folder with the copy button or by
pressing CTRL+C.
You can move a file or folder with the Move button or by
pressing CTRL+X.
Synchronize folders by clicking on the Synchronize current
folder button or by pressing CTRL+S.
You can select files with the Select files button or by pressing +
(plus) on the number pad.
You can unselect files via the toolbar Unselect Files button or
with - (minus) on the number pad.
476
Reference
HELP DESK CHAT
Desktop Authority’s Help Desk Chat feature allows you to communicate
with the user sitting in front of the remote computer as you would with
any instant messenger software. Desktop Authority’s advanced
diagnostic capabilities can be put to use while you’re remotely
connected.
The text you type appears in the upper pane of the chat window, the
remote user’s in the lower. You can copy and paste text from and to
these windows.
This functionality is implemented in a java applet which is similar to
the screen that the remote user will see.
477
Administrator's Guide
COMPUTER MANAGEMENT
The Computer Management menu allows you to take advantage of a
wealth of Desktop Authority administrative features including the File
Manager, information on the Processes, Services and Drivers of the
remote machine and even a reboot of the remote machine.
File Manager
The File Manager displays a list of all available drives, together with
their capacity and available space. Double-clicking on the drive names
will take you into the root directory of that drive, where all files and
directories are also links. Double-clicking on the name of a
subdirectory will take you into it and produce a listing. If you doubleclick on the name of a file, the remote manager will send it to your
browser. Press the Back button to close the file. Press the Save
button to save any changes made to the file. You can select multiple
consecutive files with the Shift key, or non-consecutive files with the
CTRL key. Then, using the toolbar or by right-clicking you can copy,
delete, or move the files.
By clicking the Execute button, the remote manager will attempt
to launch each selected file on the host Desktop Authority.
The Edit button lets you edit small text files right within your
browser. This is useful for changing small configuration or batch
files without downloading or uploading.
The Attributes button lets you change file attributes, such as
Hidden, Read-Only, etc.
The Permissions button lets you specify new Windows NT
permissions on the selected objects if the file system supports it.
Clicking the Upload button lets you upload files to the current
directory using your browser.
478
Reference
Fields displayed in the file manager
Icon
A small icon indicating the file type
Name
File name and extension
Attributes
File attributes (i.e. read-only, system, etc.)
Permissions
Indicates what actions the user can perform on the object (i.e.
read, write, change, etc.)
Size
File size Compressed size If the file system supports
compression, this field shows the amount of storage the file
takes up on disk
Compression ratio
Effectiveness of compression, if applicable
Created
File creation time Last modified Last modification time
Last accessed
Last access (read or write) time
Owner
The owner of the file
In use by
The name of the application that might have this file open.
The Go field accepts a path name. Entering a directory (for example
C:\Winnt\System32\Drivers) and clicking on the Go button will
immediately take you to the requested location, without having to click
your way there. This can be especially helpful over slow connections.
Clicking on header fields will change the sorting order of the file list to
the relevant column. For example, to sort files by modification time
rather than name, simply click on the header field for that column. To
sort in descending order, click the header field of the currently active
sorting field again.
479
Administrator's Guide
User Manager
When you click on User Manager under the Computer Management
menu you will be able to access Desktop Authority’s full-blown User
Manager. User Manager supports all the features of Windows' built-in
User Manager including user and group maintenance.
Click Add User on the Users tab to add a new local user to the
computer. Click on an existing User name to modify the account
settings. On the Groups tab, click Add Group to add a new local group
or click on an existing group to manage the group settings.
Add User
480
Reference
User Name
Enter the new user account name.
Password
Enter the user account password.
Confirm password
Type the password again to confirm it.
Full name
Enter the user's complete name.
Comment
Enter any text to describe the user account.
User must change password at next logon
Select this box to force the user to reset the password at the
next logon.
User cannot change password
Select this box to disallow the password to be changed.
Password never expires
Select this box to enable the password to never expire.
Account disabled
Select this box to disable the selected user account.
Account locked out
Read-only setting that specifies the user account is locked
out. This user may not log on to the network.
Home directory
Enter a shared network directory as the home directory.
Drive letter assigned to home directory
Specify the drive letter to which the home directory will be
mapped to.
Logon script
Enter the name of the logon script.
Profile path
Enter the path to the mandatory or roaming user profile.
481
Administrator's Guide
Manage User
The Manager user dialog presents the same configuration settings as
the New user dialog. The Manager user dialog also presents several
different user account status's; Last logon, Last logoff, Account
expires, Password last changed, Bad password count and Number of
successful logons.
New Group
Group Name
Enter the name of the new group.
Description
Enter a group description.
Manage Group
The Manage group dialog displays Group Members and Non-Group
Members. A group can also be renamed here.
482
Reference
Event Viewer
If you select Event Viewer under the Computer Management menu you
can view the NT logs of the remote machine. This feature is very much
like NT’s Event Viewer. You will see a listing of log entries on your
screen. Clicking on an entry in the list will display its details.
You can choose to clear the contents of the log file by pressing the
Delete button in the toolbar. If you specify a filename, the event log
will be backed up before being erased.
You can also have the Remote Manager send email alerts to a specified
email address when log entries matching a given criteria are entered
into any of the event logs.
For more information on this feature and its uses select the
Scheduling & Alerts object in the navigation pane. See Email
Alerts.
Services
When you click on Services under the Computer Management menu
you will see a list of services running on the remote machine. The
Services list displays the names and statuses of all the services
installed on the remote machine.
Double-clicking on the service name will show you more detail about
the selected object and allows you to control it. You can change its
startup and logon options. Dependencies can also be viewed by
selecting the Dependencies tab. When specifying a user account to be
used by a service, it must be in DOMAIN\USER form. If you want to
use a local user account, you can type .\USER.
In the list of objects, the status field shows Stopped, Running,
Starting, Stopping, etc. Desktop Authority looks through the list of
services, and if it finds one that is set to start automatically but is not
running, a question mark is displayed. This alerts you to the fact that
the service should be running, but isn't.
Processes
When you click on Processes under the Computer Management menu
you will see a list of processes running on the remote machine. The
processes list will give you a listing of all processes running on the
remote Desktop Authority.
The list is hierarchical – a parent process will have its child processes
listed beneath it, with indentation indicating relationships. Please note
that this is for information purposes only, since Windows reuses
process IDs.
483
Administrator's Guide
The following information is available either in the list or by clicking on
an item:
•
PID The internal Windows NT Process ID.
•
Name The name of the executable file with full path. This
works as a link, and clicking on it will give you some very
detailed information on the process. On that page, you have
the option of changing the priority class or the processor
affinity for the selected process. This data is arranged on
separate tabs for easy viewing.
•
Version The version of the program, if given.
•
Description The description of what the program does, if
given.
•
Memory Used The amount of memory in use by the process in
kilobytes.
•
Created The date and time the process was started.
•
CPU Time The amount of CPU time (d hh:mm:ss) the process
has used.
•
Priority The priority class of the process.
•
Type The type of the process (service or interactive).
•
Account The user account the process runs under.
•
Kill Clicking this red button will have Desktop Authority kill the
process. The process will be terminated immediately.
The Refresh button will retrieve and display the latest process list. The
CPU% button will return a process list with an additional field,
displaying current CPU utilization on a per-process basis. This function
takes two process list samples, two seconds apart, and compares the
amount of CPU time used by each process between the two samples to
calculate CPU utilization percentages. The total amount displayed can
actually be more than 100% on multiprocessor systems, since each
processor can be utilized from 0 to 100 per cent. For dual-processor
systems, the maximum is 200%, for quadprocessor systems it is
400%, etc.
Double-clicking a process will show you more detail about the selected
process. Threads, DLLs, open files and registry keys belonging to the
selected process can also be viewed.
484
Reference
Drivers
When you click on Drivers under the Computer Management menu you
will see a list of drivers running on the remote machine. The Drivers
list displays the names and statuses of all the drivers installed on the
remote machine. Double-clicking on the driver name will show you
more detail about the selected object. Dependencies can be viewed by
selecting the Dependencies tab.
In the list of objects, the status field shows Stopped, Running,
Starting, Stopping, etc. Desktop Authority looks through the list of
drivers, and if it finds one that is set to start automatically but is not
running, a question mark is displayed. This alerts you to the fact that
the driver should be running, but isn’t.
Registry Editor
The Registry Editor enables you to edit the registry of the host
Desktop Authority. First, the registry roots (HKCR, HKCU, HKLM, etc.)
are displayed, and you can drill down into them by clicking on their
names.
Registry keys are links that open up that key for you. Key values are
also displayed here, with their name, type and value.
You can edit values that are of either text (REG_SZ, REG_EXPAND_SZ
or REG_MULTI_SZ) or integer (REG_DWORD) type. Binary, and other
value types are only displayed and cannot be edited.
Using the toolbar buttons at the top of every page you can add a
subkey, add a value or delete the currently opened key.
Command Prompt
You can access a command prompt from within your browser by
selecting Command Prompt under the Computer Management menu.
The Telnet client, written as a Java applet, provides encryption and
data compression for security and speed. The Telnet and SSH server
included with Desktop Authority lets you access a command prompt on
a remote Desktop Authority from terminal emulator software or a web
browser.
You can either use the Java Telnet client that’s part of Desktop
Authority, or any other terminal emulator you like. There are several
reasons to stick with our client:
It’s secure - it uses the same encryption that’s employed by the
remote control module. It’s fast, since it uses sophisticated data
compression to achieve high throughput. And finally, it lets you
transfer keystrokes that terminal emulators don’t handle, such as the
Alt key. You can also use your mouse in console applications that
support it.
485
Administrator's Guide
If you decide to use a terminal emulator instead, you will need to
connect to the Telnet port (23) or the SSH port (22). You can change
the default listener ports in the configuration dialogs to any available
port. Should you need to send a special keystroke to the server, just
press Ctrl-Q and a virtual keyboard will pop up. You can then move the
pointer over the desired key with the cursor keys, and press Enter to
send it. If you want to send a combination of several keys at the same
time, you can select the keys with Space, and then press Enter after
selecting the last key of the combination.
When a connection is initiated from a terminal emulator, you will be
asked to log on.
This is handled automatically by SSH clients, so you need to enter
your username and password in the SSH client itself. Desktop
Authority currently supports the SSH1 and SSH2 protocols with
password authentication. To specify a Windows NT/2000/2003 domain,
you can enter it as part of the username, separated from the actual
login name with a backslash character. For example:
DOMAIN\Username.
With Telnet clients, you need to enter your credentials in clear text
during the session. You are asked for your username, password, and
Windows NT/2000/2003 domain.
After successfully logging in, you will be asked if you want full console
support. If you answer with No, you will only be able to use streammode programs - applications that take over the whole console
window, like Edit.com, Norton Commander, the Far file manager, etc.
will not work. However, if you are only planning to use command-line
utilities, you can safely say No to this question. You will be taken
directly to the command prompt.
If you answered yes to the previous question, you will be asked to
specify the console window size. A default value is provided for you.
You should make sure that the terminal emulator you are using
supports it and is set to the size you enter here.
Finally, if you have an ANSI compliant terminal emulator, you can
choose to use ANSI color support during the session.
Should you disconnect your terminal emulator, or go to a different
page in the browser window containing the Telnet client applet, all
applications you have running in the Telnet session are left active.
You can reconnect to this Telnet session by simply logging in (or
loading the applet) again. There is a timeframe for this though: if you
do not reconnect within an hour, all your telnet applications, including
the command shell, are terminated. You can change the timeout value
from the default one hour to anything you like in the configuration
dialogues.
To close the Telnet session, type exit at the command prompt.
486
Reference
Reboot
When you click on Reboot under the Computer Management menu you
will see the following reboot options which allow the remote machine
to be rebooted. You have five choices.
Restart Desktop Authority Restarts the Desktop Authority
service. It does not reboot the remote machine. This is useful if
you change settings like the listening port and have no physical
access to the machine in order to restart the service.
Normal Reboot Closes all processes and reboots the remote
machine in an orderly fashion.
Emergency Reboot Does not allow applications and other
processes to terminate gracefully, so you might lose unsaved
data. Windows will, however, shut down nicely and flush all
outstanding file operations to disk. This can be useful if there
are hung processes that prevent NT from shutting down
normally.
Hard Reboot Reboots as quickly as possible. This option will not
allow Windows to terminate gracefully, so you might lose
unsaved data. Since rebooting is immediate (just like pressing
the reset button) you will not receive any feedback from
Desktop Authority when clicking this button.
Scheduled Reboot This allows you to schedule a date and time
to automatically reboot the Desktop Authority. This is useful if
the reboot is not urgent and can take place during off-peak
hours.
487
Administrator's Guide
Monitor Host Screen
Here you can enable screenshot-based remote control, which means
that when you click on Remote Control in the menu, instead of loading
the Java applet, it will go straight to screenshot-based Remote Control
instead. You can switch to Java based Remote Control from the
toolbar, but you cannot switch back again. This setting is useful if you
have an extremely slow connection or a browser without Java.
If the client you are using is not java-enabled, or for whatever reason
your connection is just too slow, you might want to make use of
Screenshot-based Remote Control.
In order to use this feature you’ll first need to set it as the default for
Remote Control under the Preferences object. Select Remote
Control.. You can switch back to Java Remote Control (the standard
for real-time control) any time, although you cannot switch from Java
straight to Screenshot-based.
If you have Screenshot-based Remote Control enabled, this is what
you’ll see when you click on Remote Control in the left hand menu:
The remote screen is a clickable image map, with which you can
interact right on the page to some extent (clicking on buttons, right
clicking) but for the most part you will have to use the toolbar at the
top.
To enter text on the remote screen, you have to enter it in the send
keys field in the toolbar and click send. Checking the box next to this
field enables you to enter special characters and simulate special keys.
Each key is represented by one or more characters. To specify a single
keyboard character, use the character itself. The plus sign (+), caret
(^), percent sign (%), tilde (~), and braces { } have special meanings
to this function. To specify one of these characters, enclose it within
braces ({}). For example, to specify the plus sign, use {+}. To specify
brace characters, use {{} and {}}.
To send special key combinations such as Ctrl+Alt+Delete, use the
drop down menu to the right of the send keys field.
To specify characters that aren't displayed when you press a key, such
as Enter or Tab, and keys that represent actions rather than
characters, use the codes shown below:
Key Code
Backspace {BACKSPACE}, {BS}, or BKSP}
Caps Lock {CAPSLOCK}
Del {DELETE} or {DEL}
Down Arrow {DOWN}
End {END}
Enter {ENTER} or ~ ESC {ESC}
Home {HOME}
Insert {INSERT} or {INS}
488
Reference
Left Arrow {LEFT}
Num Lock {NUMLOCK}
Page Down {PGDN}
Page Up {PGUP}
Right Arrow {RIGHT}
Scroll Lock {SCROLLLOCK}
Tab {TAB}
Up Arrow {UP}
F1 to F24 {F1} to {F24}
To specify keys combined with any combination of the Shift, Ctrl, and
Alt keys, precede the key code with one or more of the following
codes:
Key Code
Shift +
Ctrl ^
Alt %
For example, if you wanted to go to the beginning of an edit field,
select the entire line, place it on the clipboard, and overwrite it with
something else then hit Enter, you would type:
{HOME}+{END}^cThis is the new text {ENTER}
This translates into pressing the Home key (going to the beginning to
the field), pressing the Shift and the End keys at the same time
(selecting the entire field), pressing Ctrl+C (clipboard copy), typing
the new text and then hitting Enter.
GP Update
Normally, Group Policies are updated on a timed interval. To force a
Group Policy update, click the Group Policy Update button to refresh
local and Active Directory based Group Policy settings, including
security settings at the current time.
489
Administrator's Guide
COMPUTER SETTINGS
In addition to the administrative features available under Computer
Management, you can also view and modify a number of settings on
the remote machine, from Environment Variables to Automatic
Priorities.
Environment Variables
Here you can view and make changes if necessary to System
Environment Variables on the remote machine. User environment
variables that are defined by you or by programs are listed, such as a
path where files are located.
Virtual Memory
This option allows you to change virtual memory settings on the
remote computer. Simply enter a minimum or maximum size for the
paging file next to a drive listed above and click the Apply button.
Entering zero values both for the minimum and maximum size will
remove the paging file from the drive.
You will need to reboot the computer for any changes to take effect.
Time
This option allows you to edit the time on the remote computer.
Simply enter the correct values and click the Apply button. Please
note that the time is displayed according to the time zone settings of
the host computer.
Automatic Login
This option lets you enable or disable NT’s autologon feature. You can
also do this via the registry or with other small utilities, like the one
included in the NT Resource Kit.
Enabling autologon will cause the server to bypass the logon screen
after system startup and log in with the username and password
specified here.
This is a potential security risk: the username and password are stored
in the registry in clear-text format.
490
Reference
Shared Resources
This function gives a detailed report of all shared resources on the
remote computer, including shared folders, administrative shares, and
printers etc.
The link to the Path in the right hand pane of the window takes you to
the directory in File Manager. The connections list shows open files, if
any. These files can be forcibly closed by clicking on the Close button.
Access permissions active on the object are also shown in detail,
except for administrative shares where permissions cannot be set.
The Delete Share button removes sharing from the object.
Automatic Priorities
Automatic Priorities lets you direct Desktop Authority to automatically
change process priorities. If you have ever wanted to run a backup on
your server without impacting performance or archive a huge directory
structure using zip/winzip on a live web server without putting
additional load on the machine you will find this feature useful.
Likewise if you have ever wanted your workstation to be responsive
while you browse the web on your workstation during a lengthy
compile.
When you click on Automatic Priorities, you are taken to a dialog that
shows you a list of executables and their target priorities. By default
the list is empty, so you will need to click on the Create button, , in
the toolbar. On the dialogue that comes up, enter the name of the
executable, and select the target priority from the dropdown box. The
name of the executable is without paths, so, for WinZip it’s
WINZIP.EXE, for the Microsoft C compiler it’s CL.EXE, etc. The target
priority is usually Idle. This puts your process in the same priority
class as the screen saver, meaning that it will only get a chance to
make any progress if it does not compete for CPU power with other
processes. You can also select a target CPU for the process. This
allows you to divide processes amongst CPUs on an SMP machine to
suit your needs. Click on Add and you are taken back to the previous
list that is now showing your executable’s name and the priority class
you selected.
If there are entries in the list, Desktop Authority will scan the process
list on your machine every ten seconds, looking for the process names
you entered. If Desktop Authority finds one and its priority class does
not match the one you specified it will be changed to your preference.
491
Administrator's Guide
SERVER FUNCTIONS
Under Server Functions you can find all the pages you'll need to make
use of Desktop Authority’s powerful FTP capabilities.
Desktop Authority comes with an extremely versatile FTP server. You
can set up an unlimited amount of FTP servers on one computer, each
with its unique IP address and port combination. You can create users
and groups for your FTP server, or you can use the built-in Windows
NT accounts for rights management.
If logging has been enabled in the Preferences object. Select Log
Settings. The FTP Server will log all user activity to the main Desktop
Authority log file.
FTP Configuration
The options for creating and managing the settings for your FTP
servers, users and groups are arranged into three tabs.
FTP Servers
In order to create a new virtual FTP server on your machine you need
to define at least one virtual FTP server on the FTP Servers tab of the
FTP Configuration screen. If no FTP servers are defined then this
screen will be blank, except for the New FTP server button.
Once you have defined a new server they will be listed in a table.
You can delete a server by clicking on the red box in the delete column
to the right of a given server. The server can be started and stopped
by clicking on the status indicator to the left of the virtual server.
A green circle indicates that the server is running, and a red one
shows that it is stopped. This may be either because it was stopped
manually, it has been disabled, or it was not able to start due to an
error.
When you stop an FTP server on this screen its status will change to
Disabled. This means that when you reboot the computer the server
will not be started automatically. Likewise, if you start a stopped or
disabled FTP server it will be Enabled, and it will start automatically on
rebooting.
492
Reference
New FTP Server
To set up a new FTP server click on the New FTP server button at the
bottom of the FTP servers tab. This will bring up the New FTP server
dialogue screen. You can specify the following settings for your new
FTP server here:
Name
The name of the virtual FTP server. This is for reference purposes only.
You can call your server whatever you want. This is what will be
displayed on the FTP configuration screens, the login message from
the FTP server, and so on.
TCP/IP port to listen on
The port in use by the virtual FTP server. The default is the standard
FTP port, 21.
TCP/IP address to listen on
The IP address to use. You can select one item from the list. If you
select All available interfaces the virtual FTP server will listen on all
assigned IP addresses.
IP Filter
The IP Filtering drop down lets you specify the IP addresses from
which to accept connections. By default, the clients can come from any
IP address. The IP filtering engine is the same as that used by Desktop
Authority itself. Please see the section on IP filtering under Security for
more information.
The server is enabled If a server is enabled it will start automatically
with Desktop Authority. If disabled you will need to start it manually.
Port range for passive data Enter a range of ports to use for FTP data
transfers.
Root directory
The root directory for the virtual FTP server. If you leave this field
blank the drive list will be used as the root.
Resolve shell links If you enable this option, shell links (.lnk files)
pointing to directories will be displayed as directories, enabling you to
use Unix and Windows 2000-style hard links.
Download bandwidth limit
The global download speed limit for the server. No matter how fast
users are accepting data, the server will not send it any faster than the
speed specified here.
493
Administrator's Guide
Upload bandwidth limit
The global upload limit to the server. No matter how fast users are
sending data, the server will not accept it any faster than the speed
specified here.
When you've filled in the required data to define your new server, click
Apply. The following FTP server configuration pages will become
available as buttons at the bottom of the page:
•
Security
•
NT Users
•
Welcome
•
ODBC
Security
The Security dialogue lets you specify various security and connectionrelated options.
Maximum number of simultaneous connections
The maximum number of simultaneous connections to the FTP server.
Setting it to zero means that there are no limits.
Maximum number of failed login attempts
If a user fails to log in with this many tries the connection will be
dropped.
Login timeout
The maximum number of seconds the user can take to log in.
No transfer timeout
The connection will be considered idle and will terminate after the
specified number of seconds have elapsed on an open connection
without a file transfer or directory listing.
Stalled transfer timeout
This is the amount of time a file transfer can spend without sending or
receiving any data before it is considered stalled and thus terminated.
Allow keep-alives
FTP clients use various commands to keep the connection from being
idle. When enabled, FTP commands such as CWD, PWD or the
ubiquitous NOOP will reset the No transfer timeout counter (described
above). If disabled, only an actual file transfer or a directory listing will
reset the counter.
494
Reference
Thread priority
You can select the priority of the threads servicing users for the FTP
server. If you are running an FTP server on an otherwise busy web
server it might be a good idea to set the priority to a lower value than
the default Normal setting.
Allow unsecured FTP connections
If this option is disabled the FTP client must support and utilize SSL.
Allow data connections to go to different IPs than that of the
control connection (enable FXP, basically)
The FTP protocol uses two connections: The control connection and the
data connection. The data connection is where all the raw data is sent,
the control connection is used to send commands to the server and
receive replies. Normally data connections are set up to the same IP
address as that of the control connection, but in order to facilitate
server-to-server file transfers it may be desirable to allow data
connections to go to different IP addresses. If you are not using
server-to-server transfers you can safely disable this option.
WS_FTP compatible secure connections
WS_FTP, the most widely used SSL-enabled FTP client has an
unfortunate bug in the implementation of the protocol. Regardless of
whether you are using passive or active mode, the SSL data
connection is always negotiated in the same way. This is normally not
a problem, but if you want to use server-to-server transfers with SSL
encryption, the server has to behave differently when in passive or in
active mode. When is this option is set to Yes, server-to-server
transfers will not work with SSL.
Quoted password changes
This determines whether the parameters of the SITE PSWD command
are in quotes or simply surrounded by a space. (SITE PSWD oldpwd
newpwd vs. SITE PSWD "oldpwd" "newpwd").
Which form is used depends on the targeted FTP client.
Anti-hammer filter
This feature is similar to Desktop Authority’s IP address lockout
settings. By default if 4 bad logins occur from an IP address within one
minute, the IP address will be locked out for one hour.
Number of invalid attempts before locking out
You can change the number of bad login attempts from 4 to anything
you want.
Reset invalid attempt count after
You can modify the time before the invalid attempt count is reset to
zero.
495
Administrator's Guide
Lock out for
You can choose the duration for which the user is locked out after the
specified number of invalid attempts has been made.
NT Users
You can connect to the newly defined FTP server with any FTP client,
but you are not able to log in until you have created a new FTP user
and give them access to the server or you can allow any Windows NT
user to access the new virtual FTP server.
The difference between FTP users and NT users is simple. NT users are
pre-existing users in the Windows NT user database. Creating and
managing them is done via the User Manager – either the HTML-based
one included in Desktop Authority, or the User Manager applet that
comes with Windows. You cannot explicitly tell the FTP server the
directories and files to which the user has access, but Windows access
rights will be enforced. If a user can access a file below the server’s
root directory locally or over the network, he will be able to do so via
FTP as well. If a user has no rights to a file or a directory, he will not
be able to access the object with FTP either. This is enforced by the
FTP server by having the thread servicing the user impersonate him
towards the operating system as soon as login is complete.
FTP users, on the other hand, are created and managed within the FTP
configuration pages. You can tell the server which files or folders the
user can access, where he can read from, where he can write to. When
an FTP user logs on, the thread servicing the user is executing under
the LocalSystem account by default. This is rather undesirable, so you
can specify an NT user account on a per-server basis that will be
impersonated when servicing FTP users. We will return to FTP users
later in this chapter, when discussing the content of the FTP users tab.
The Windows NT account whose permissions are assigned to FTP users
fields let you specify a username, domain and password for an existing
Windows NT account. This is used when an FTP user logs on: the
thread servicing the user will be impersonating this account towards
the operating system. If you enter an incorrect username or an
incorrect password here, the FTP user will receive a 'Login incorrect'
message from the FTP server, even if he enters his credentials
correctly.
To grant access to a Windows NT user or group on the FTP server,
select its name in the list on the right and click the Update button. To
revoke access from a user or a group, select its name in the list on the
left, and click the Update button.
To list user accounts from a domain rather than from the local
computer, enter the domain’s name in the ‘default domain’ field and
click the Update button.
496
Reference
Now that you have granted access to an NT user, you can use an FTP
client to connect and log in to the FTP server. The user will have
access to all files and directories below the server’s root directory.
However, on an NTFS file system, NT access restrictions will apply. For
example, if the user does not have the rights to read or write in a
certain directory, he will not be able to do so via FTP either. The FTP
server enforces this in a very effective way: the thread servicing the
user will impersonate him towards the operating system as soon as
login is successful.
Welcome
The Welcome dialogue allows you to view and modify the welcome
message for your users:
The first message the user will see when they log in will be the
Desktop Authority welcome banner. If you do not wish to let the
outside world know which FTP server you are running, you can disable
this via the checkbox at the bottom of this window.
The next message the user will see looks like this by default:
——————————————————————————————
Welcome to the _!SERVER_NAME!_ FTP server,
running on _!OS_VERSION!_.
The server has been up for _!SERVER_UPTIME!_.
Data downloaded: _!BYTES_DOWN!_
Data uploaded: _!BYTES_UP!_
Sessions serviced: _!TOTAL_LOGINS!_
——————————————————————————————
You can change this to anything you like, or leave it blank if you'd
prefer no login message for your users. If you disable both the banner
and the welcome note, the FTP Server will just send ‘Welcome’
whenever somebody connects to the FTP port. This is because the FTP
specification requires a server to send a code and some text when a
connection is established.
By default, the post-login message looks like this:
——————————————————————————————
Welcome, _!USER_NAME!_, to _!SERVER_NAME!_.
Your last successful login was at _!LAST_LOGIN!_.
Good logins so far: _!GOOD_LOGINS!_.
Bad logins so far: _!BAD_LOGINS!_.
You have uploaded _!BYTES_UP!_ and downloaded
_!BYTES_DOWN!_ in your previous sessions.
——————————————————————————————
User logged in.
The final line reading User logged in cannot be customized, as this is a
requirement of FTP protocol. The rest you can change to suit your
preferences, or leave blank.
497
Administrator's Guide
The following variables can be inserted into the welcome messages,
and they will be automatically replaced with their corresponding
values:
_!SERVER_NAME!_
The name of the FTP server.
_!OS_VERSION!_
The operating system and its version.
_!SERVER_UPTIME!_
The amount of time the server has been up.
_!BYTES_UP!_ and _!BYTES_DOWN!_
The amount of data uploaded and downloaded. These variables behave
differently when used in the pre-login or post-login messages. In the
pre-login message, they represent a server-wide value, while in the
post-login message they represent the amount of data transferred by
the user.
_!TOTAL_LOGINS!_
The number of successful logins to the FTP server. Only valid in the
pre-login message.
_!GOOD_LOGINS!_ and _!BAD_LOGINS!_
The number of logins and unsuccessful login attempts. Only valid in
the post-login message.
_!LAST_LOGIN!_
The last successful login by the user. Only valid in the post-login
message.
These welcome messages are server-wide settings, and apply to all
users and groups. When you specify a welcome message for an FTP
group or an FTP user, it will override the post-login message defined
here.
ODBC Access
The ODBC option allows you to specify a database as a source of user
information.
With this dialogue you can set up a database to contain user
information. This can be any database type: Oracle, SQL Server,
Microsoft Access, or even a plain text file. You need to create an ODBC
data source that refers to this database so that Desktop Authority can
access it. The data source must be a so-called Machine Data Source,
as this is the only ODBC source available to processes running in the
system context.
498
Reference
When you have your database and ODBC data source ready, we advise
you to test it by querying it with a tool that supports ODBC queries,
such as a spreadsheet program.
You should have all user information available in one table. If you
already have a user database and user information is in separate
tables, you should set up a query within your database that contains
all user-related fields. Desktop Authority only reads from the database.
Suppose that you have a user database in a data source called
FTPUsers. The user information is present in a database table called
Users. A database user called ra is able to read from the Users table.
You should also supply the password for this user in the above form.
The Users table can have any number of fields in any order, but the
above figure assumes that these fields are present:
login (character string)
password (character string)
homedir (character string)
quota (integer, in bytes, optional)
downstream (integer, speed in bytes/sec, optional)
upstream (integer, speed in bytes/sec, optional)
disabled (integer, zero or non-zero, optional)
maxconns (integer, optional)
maxconnsperip (integer, optional)
welcome (character string, optional)
The only three mandatory fields are login, password and homedir. The
login and password fields contain the user’s login name and password,
in clear text. The homedir field must contain the user’s home
directory, which can be an absolute path (such as z:\ftp\users\~john)
or it can be relative to the server root (such as /users/~john).
Users have full access to their home directory, but have neither read
nor write permissions outside of it.
The quota field will not let the user store more data in his home
directory and its subdirectories than the number of bytes specified
here.
The downstream and upstream fields restrict download and upload
speed. They are optional, and should be an integer number specifying
bytes per second.
The disabled field should be an integer. When it’s non-zero, the user is
disabled and cannot log in.
499
Administrator's Guide
The maxconns field specifies the maximum simultaneous connections
to this FTP server for a user.
The maxconnsperip field specifies the maximum simultaneous
connections per unique IP address for a user.
The welcome string, if used, should contain a custom welcome
message for the user.
FTP Users
If you click on the FTP users tab under the Server Functions object
and select FTP Configuration, you can view, create or modify your
existing FTP users. These are only defined in Desktop Authority and
unlike NT users they do not exist outside of the FTP server.
As on the FTP Servers page, users are shown in a table, with a delete
column to the right.
Below this is the New FTP user button.
New FTP User
To create a new FTP user click on the New FTP user button on the FTP
Users tab of the FTP configuration page.
Enter the desired username and password in the above dialogue. You
can also specify upload and download speed limits for the user. If not
set to zero (meaning disabled) these options override the global FTP
server settings.
You can also enable or disable their ability to change this password,
and select an IP from the IP filter drop down menu.
Click Apply to create the user.
When you create a new user the following options become available:
Groups
Permissions
Ratio
Disable
Home/Quota
Max Connections
Welcome
Permissions Report
The newly created user cannot log in yet: you have to assign
permissions to them for an FTP server and a path so that the user is
able to use the account.
To allow anonymous access to an FTP server, you should create an FTP
user called anonymous. This user account is special: no password
checking is done upon login. You can assign permissions to the
anonymous user account as you would to any other user. By default,
the newly created anonymous user has no rights to any virtual FTP
server defined.
500
Reference
Groups
This dialog lets you specify the FTP groups to which the user belongs.
For more details on FTP groups, please see the next section.
Selecting a group that the user is a member of and clicking the Update
button will remove the user from that group. Selecting a group that
the user is not a member of and clicking the Update button will add
the user to that group.
The Back button takes you back to the main user editing dialogue.
Permissions
The following dialogue lets you edit users’ access to directories, and it
looks like this:
This dialog lets you edit users’ access rights to directories. To grant
access to a directory on a server, select the virtual server from the
server list, select the type of rights you wish to assign to the user,
enter the path to the directory and click the Update button.
The path you specify can be a full path, containing a drive letter, or a
path relative to the server’s root directory. If you assign rights to a
path that is not within the server’s root directory, the setting will have
no effect at all.
The following rights are possible:
L – Show directory contents.
Allows the user to list the contents of the directory.
R – Read file.
Download files from the directory.
C – Create subdirectories.
Create new directories in the directory.
D – Delete/rename file.
Delete or rename a file or a directory. Also required to be able to
overwrite files.
W – Create/modify file.
Create a new file and/or write data to it.
Full access.
All of the above.
The above settings let the user access FTP Server 1 – he has full
control over the contents of the server. These rights only apply to the
root directory of the server and all directories below that. The user
also has list, read and write access to the c:\work directory on FTP
Server 2. However, the user has no rights at all to the c:\work\java
directory on FTP Server 2. The user has no rights at all on FTP Server
3, meaning he cannot even log on.
501
Administrator's Guide
The rights you specify for a directory are automatically inherited by its
subdirectories, unless you specify different rights for them.
The following method is used when checking access rights to a
directory:
1. The current virtual server’s access list is enumerated for the
current user.
2. When the directory closest to the directory in question is found,
the access rights specified for that directory is used. For
example, if the user has LRW rights for C:\Work, he has LR
rights for C:\Work\CPP, and the directory in question is
C:\Work\CPP\Project1, only LR rights are returned – meaning
that the user can only list and read files, but not write to them.
3. If an NT user is specified for the server to run FTP accounts
under, further Windows NT-enforced restrictions might apply,
based on file system permissions.
You can also make the user member of one or more groups, and these
groups can also be members of one or more groups. For an
explanation of this scenario, please see the FTP Groups section.
Ratio
The following dialog lets you edit the upload/download ratio settings
for the user.
This dialog lets you edit the upload/download ratio settings for users.
The upload/download ratio lets you control how much data the user
has to upload before he can download anything.
If the Upload ratio is set to 1, and the Download ratio is set to 5, the
user can download 5 bytes for every byte uploaded. If it were the
other way around, the user would have to upload 5 bytes to be able to
download one. You can enter any positive integer number in either of
these fields.
There are four possible settings for the Ratio type:
1. None. The user is a normal user, and can download any file he
has read access to, without having to upload first.
2. Per session. When the user logs in, his counters are zeroed.
Should he lose connection while uploading or downloading, any
remaining credits he has will be lost.
3. Per user. The user’s credits are remembered over sessions. It is
not recommended if you want several users to share the same
account.
4. Per IP. Even if the user loses connection, his credits are
remembered, if he logs in again from the same IP address. This
does not cause a problem, even if the user account is shared by
hundreds of concurrent users.
502
Reference
The Per IP ratio information expiration time setting allows you to
expire the per-IP credits after a certain amount of time. If the user
logs back from the same IP address after not visiting the server for
this much time, he will have to start over building up his credits.
The ratio setting applies to all virtual servers.
To let the user download files without uploading, you can specify a
starting credit. The amount given is in kilobytes – the user will be able
to download the specified amount of data without uploading.
Disable
The following dialogue lets you explicitly disable (or ban) a user on a
virtual FTP server. Disabled users cannot log in, even if they have
rights on an FTP server. You can also disable a connected user from
the FTP status page.
Home/Quota
This dialogue lets you specify home directories for the user. A home
directory is basically the entry point for a user on an FTP server. When
the user logs in, he will find himself in the directory you specify here.
If no home directory is specified, he will be logged in to the server’s
root directory. The user can move out from his home directory if he
has rights to an outside directory. You can use a full path, starting with
a drive letter, when specifying home directories – or you can enter a
relative path to the server’s root directory. Home directories specified
above the server’s root directory are disregarded.
You should make sure that the user has rights to his entry point on the
server – either to his home directory, or if the home directory is not
specified, to the root directory of the server. If the user has no rights
to the entry point, he will not be able to log in.
You can specify quotas for your users. Quotas are only enforced on
home directories, and apply to all files contained in the home directory
and its subdirectories. If a user has rights to upload files outside of his
home directory, he will be able to do so without restrictions – quotas
only apply to the home directory and its contents.
Since Windows does not support disk quotas for user accounts,
Desktop Authority has to enforce them. When a user starts to upload a
file, the FTP server quickly scans the contents of the directory to
determine if the user is below or above the quota. If the quota is not
exceeded, the upload can be started – however, the FTP server will
interrupt the transfer as soon as the file being uploaded starts to
exceed the specified quota.
Home directory quotas are entirely optional, by leaving the field empty
you choose not to limit the amount of data that can be stored on the
server by the user.
503
Administrator's Guide
Maximum Connections
You can specify the maximum number of simultaneous connections for
a user account in this dialog. By default, a user account can be used to
log in any number of times, until exhausting the maximum number of
connections for the virtual FTP server, or exhausting the resources of
the computer.
Simply select the server on the right, enter the number of maximum
simultaneous connections in the Count field and click the Update
button.
To remove a limitation, select it in the list on the left and click the
Update button.
You can also limit the number of simultaneous connections for the user
from a computer or IP address. The Per IP field serves this purpose.
When left blank, or a zero is entered, this limitation is disabled. If you
enter a numeric value, a single computer can be used to log in that
many times with the account.
It is a good idea to limit certain user accounts (for example the
Anonymous account) this way. An overall maximum connection limit
ensures that the server cannot be overloaded by thousands of
Anonymous users, and a Per IP limitation makes sure that no single
user can take up all available connections.
Welcome
You can compose a custom welcome message for the user in this
window.
——————————————————————————————
Welcome, _!USER_NAME!_, to _!SERVER_NAME!_.
Your last successful login was at _!LAST_LOGIN!_.
Good logins so far: _!GOOD_LOGINS!_.
Bad logins so far: _!BAD_LOGINS!_.
You have uploaded _!BYTES_UP!_ and downloaded
_!BYTES_DOWN!_ in your previous sessions.
_!QUOTA!_
——————————————————————————————
Messages specified here override any post-login message specified for
the virtual FTP server. In this case, messages specified for any groups
the user belongs to will be disregarded as well. See the equivalent
section on welcome messages above for the available variables.
504
Reference
Permissions Report
The permissions report can be retrieved for any FTP user. It will list all
FTP servers, and all the rights a user has on the given server. Here is
a sample report for a user on FTP Server 2:
You can see that the user can list, read and write to files in the
C:\Work directory. The Inherited from column shows that this
particular right was granted to the user himself.
The user has full access to the C:\Work\files directory, due to being a
member of the filexfer group. As a member of the web group he also
as full access to the C:\Work\websites directory.
He has no rights at all to the C:\Work\Java directory – and it is clear
that the user himself has been denied access.
This report can be useful if you have a more complicated setup of
groups and users, and would like to see what exactly the user can do
on the system, and from where these rights come.
FTP Groups
If you click on the FTP Groups tab under the Server Functions object
and select FTP Configuration you can easily control the resources
available to your FTP users. As on the FTP Servers and Users pages,
groups are shown in a table, with a delete column to the right.
To add a new FTP Group click on New FTP Group.
General Group Settings
You can make a group a member of another group, thus bringing in
any permissions or restrictions for its member users from the parent
group.
Selecting a group in the Member of list and clicking the Update button
will remove it from that group. Selecting a group in the Not member of
list and clicking the Update button will add the group to it.
You can also specify a welcome message for a group. Whenever a
member logs in, he will see this message instead of the server’s
general welcome message.
Permissions
With this dialogue you can specify the rights to servers and directories.
The dialogue works very much like the FTP User Rights dialog. For a
basic description please see the appropriate section of this document.
There are some scenarios, however, that might require further
explanation.
505
Administrator's Guide
Suppose the following, rather complicated scenario:
•
User1 is member of Group1.
•
Group1 is member of Group2 and Group3. On the
membership display, Group2 is shown first and Group3 is
shown second.
•
User1 is granted LR access to C:\, and LRW access to
C:\Work.
•
Group1 is granted full access to C:\, LR access to C:\Work,
and LRWD access to C:\Work\CPP.
•
Group2 is granted LR access to C:\Work\CPP and full access
to C:\Work\CPP\Project1
•
Group3 is granted LR access to C:\Work\CPP\Project1
So, what exactly User1 can do in the aforementioned directories?
•
C:\
He has LR rights. He was explicitly granted LR rights to this
directory, and this overrides anything else.
•
C:\TEMP
He has LR rights. He was explicitly granted LR rights to the
directory closest to this one (C:\), and no groups that he is a
member of, directly or indirectly, specify anything else for the
C:\TEMP directory.
•
C:\Work
LRW rights again. See the first case.
•
C:\Work\CPP
LRWD, because Group1 has LRWD rights. Even though Group2,
which Group1 is a member of, specifies LR access for this directory,
Group1 is the least indirect object that specifies actual rights for
the directory. Group2 is one more indirection away, with User1
only being a member of it because he is a member of Group1, and
is therefore overridden by Group1.
•
C:\Work\CPP\Project1
Full access. Both Group2 and Group3 are two indirections away,
they both specify access rights to the same directory, so the
deciding factor between Group2 and Group3 is that Group2 is the
first one in the list on the membership display of Group1.
506
Reference
With this dialogue you can specify the rights to servers and directories.
The dialogue works very much like the FTP User Rights dialog. For a
basic description please see the appropriate section of this document.
There are some scenarios, however, that might require further
explanation.
Suppose the following, rather complicated scenario:
•
User1 is member of Group1.
•
Group1 is member of Group2 and Group3. On the
membership display, Group2 is shown first and Group3 is
shown second.
•
User1 is granted LR access to C:\, and LRW access to
C:\Work.
•
Group1 is granted full access to C:\, LR access to C:\Work,
and LRWD access to C:\Work\CPP.
•
Group2 is granted LR access to C:\Work\CPP and full access
to C:\Work\CPP\Project1
•
Group3 is granted LR access to C:\Work\CPP\Project1
So, what exactly User1 can do in the aforementioned directories?
•
C:\
He has LR rights. He was explicitly granted LR rights to this
directory, and this overrides anything else.
•
C:\TEMP
He has LR rights. He was explicitly granted LR rights to the
directory closest to this one (C:\), and no groups that he is a
member of, directly or indirectly, specify anything else for the
C:\TEMP directory.
•
C:\Work
LRW rights again. See the first case.
•
C:\Work\CPP
LRWD, because Group1 has LRWD rights. Even though Group2,
which Group1 is a member of, specifies LR access for this directory,
Group1 is the least indirect object that specifies actual rights for
the directory. Group2 is one more indirection away, with User1
only being a member of it because he is a member of Group1, and
is therefore overridden by Group1.
•
C:\Work\CPP\Project1
Full access. Both Group2 and Group3 are two indirections away,
they both specify access rights to the same directory, so the
507
Administrator's Guide
deciding factor between Group2 and Group3 is that Group2 is the
first one in the list on the membership display of Group1.
FTP Status
When you click on FTP Status under Server Functions in the menu you
can view the current status of each of your virtual FTP servers.
For each server, it provides a listing of all current connections and
their current activity. The fields in the list are:
Icon
This field shows a small icon, representing the current status of the connection. A green checkmark
indicates a ready, or idle connection. An hourglass indicates a connection currently in the process of
logging in or becoming ready. An up or down arrow indicates uploading or downloading.
User name
The name of the user associated with the connection. For NT users, it is in an
AUTHORITY\ACCOUNT form. For FTP users, it’s simply the username. For connections not yet
logged in, it’s N/A.
Control address
The IP address of the FTP control connection.
Downloaded
Bytes downloaded during this connection.
Uploaded
Bytes uploaded during this connection.
Data address
The IP address of the FTP data connection, if applicable.
Path
The path and name of the file currently being uploaded or downloaded, if any.
Speed
The speed of the upload or download process.
Bytes left
The amount of data left from the transfer operation. Only applies to download transfers, since the FTP
protocol does not let the server know the size of the file being uploaded in advance.
Est. time left
The estimated time remaining from the transfer operation. Only applies to download transfers, for the
same reason as the previous item.
Kick
This button kicks the user out – in other words, terminates the connection.
Ban user
This button kicks and then bans the user from the FTP server. Only applies to FTP users, and not to
NT users. The user’s properties will show him as disabled on the server he was banned from.
Ban user IP
This option first kicks the user from the server in question, then adds an IP filtering rule to the user
object that will prevent him from logging in again from the IP address in question. He will have the
ability to log in from other IP addresses (depending on IP filtering setup) and the IP address will only
be disabled for this user.
Ban server IP
This button kicks the user, then adds an IP filtering rule to the server object that will cause the server
not to accept connections from the IP address in question at all. The user will be able to log in from
other IP addresses.
Anti-hammering
Information for each server is also shown, where applicable. It is in the following format:
508
Reference
IP address
The address the attempted connection came from.
Expires at
The time when the information will be discarded – users will be able to establish connections from the
IP address at this time again.
Bad logins
Number of bad logins from the IP address.
Delete
Clicking this button will remove the anti-hammering information from the FTP server’s memory, thus
making the IP address available for logins, had it been locked out.
The Refresh button refreshes the contents of the screen to reflect any
changes, while the Back button goes back to the main FTP settings
screen.
FTP Statistics
If you click on FTP Statistics under Server Functions in the menu you
can view per-server and per-user statistics, such as the last login,
number of logins, bytes sent and received, etc.
The red button labeled Reset for servers and FTP users, or Delete for
NT users will reset or delete statistics kept on that object.
Port Forwarding Config
Desktop Authority also comes with Port Forwarding Server. This allows
you to forward one or more TCP or UDP ports on one computer to
another so that separate networks can be bridged.
Before getting into the details of how you would configure your Port
Forwarding Server (PFS) we will look at how it works. Picture the
following scenario:
You have a Local Area Network (LAN), connected to the Internet with a
firewall / proxy server. The computers on the LAN all have nonInternet IP addresses, and they connect to the outside world via the
proxy server.
If you have Desktop Authority installed on any computer on the LAN —
say, the fileserver — you would be able to access it from within the
LAN without any problems. However, it is not accessible from the
Internet.
If you set up Desktop Authority and PFS on the firewall, so that a
certain port (say, 3000) on the firewall is forwarded to the fileserver’s
IP address and Desktop Authority port (2000 by default), accessing
port 3000 on the firewall will let you access Desktop Authority on the
fileserver. Both from within the LAN and from the outside as well.
When you click on Port Forwarding Configuration under Server
Functions in the menu you can set up the above scenario. In order to
look at the interface for this feature we will look at some more possible
scenarios.
509
Administrator's Guide
Imagine, for example, the following situation:
The firewall’s Internet IP address is 145.236.120.227
The firewall’s LAN IP address is 192.168.0.2
The fileserver’s LAN IP address is 192.168.0.10
Desktop Authority is installed on both computers, and is listening on
port 2000.
The IP addresses used in the foregoing are for demonstration
purposes only.
What we need to do is simple: map port 3000 on the firewall
computer to port 2000 on the mail server (dns name
mailserver.company.com. Having called up the Port Forwarding
Configuration screen from the menu you can now add a new rule by
clicking the Create forwarding rule button.
The Incoming Protocol field will be TCP. Other protocols (SSL, CSSL)
will be discussed later. The Incoming IP Address can be either All
available meaning that the port will be forwarded from all IP
addresses of the firewall. If you want to use a single IP address
instead of all assigned ones, select it here. The Incoming Port can be
anything not already in use on the computer - let’s assume 3000 for
now.
The Outgoing Protocol will be TCP. The Outgoing IP Address will be
mailserver.company.com (or the actual IP address of the host), and
the Outgoing Port will be 2000. The Defer Close and the I/O Timeout
values can be left to their defaults. These will be explained later.
The Description field lets you specify a remark associated with the port
forwarding item. This will be displayed on the main screen.
If you fill out the dialog and click the Add button, the item will be
listed on the main PFS screen.
That’s really all there is to it. Your first port forwarding item has now
been configured.
Advanced Options
You can edit a port forwarding item by double clicking it, or by
selecting on it and clicking on the Modify Rule button.
You can specify IP address restrictions for the item from the IP filtering
drop down. This works exactly like the Desktop Authority IP Address
Filtering feature, only it restricts incoming connections to the
corresponding port forwarding item only. For more information, please
read the documentation on IP Address Filtering
I/O Timeout
This setting lets you specify how long the PFS will hold a connection
open with no data going through it in either direction. When the
amount of time specified here is reached and the connection is idle,
both ends of the connection will be closed gracefully.
510
Reference
Defer Close
This setting lets you specify a timeout value for a special condition.
When one end of the connection has been closed, but the other is still
open, PFS will wait this much time for the open end of the connection
to be closed. It will then close the connection itself.
Incoming and Outgoing Protocol
These fields let you specify SSL or CSSL as well as TCP. To translate
SSL connections to TCP or TCP to SSL, and thus behave as an SSL
proxy for applications that are not SSL-enabled, simply set one end to
SSL and the other end to TCP.
There are situations when SSL encryption would be a very nice thing
to have, but neither the client nor the server support it. In this case,
you can use two installations of Desktop Authority: one to translate
the connection from TCP to SSL, the other to translate it back from
SSL to TCP.
Let’s suppose that you are using a laptop with a dialup account, and
your email software does not support SSL. Let’s also suppose that your
corporate mail server does not support SSL either. If you still want to
keep your email secure, you can install Desktop Authority both on your
laptop and on the email server, and set up a port forwarding item on
both computers.
On your laptop, you would need to do the following:
1. Create a port forwarding item with the incoming IP address as
127.0.0.1 (the loopback address), the incoming port as 3110,
the incoming protocol is TCP. The outgoing IP address or host
name would be set to that of your email server, the outgoing
port would be set to 3110, and the outgoing protocol would be
SSL.
2. Change your email client’s preferences so that the POP3 server
is 127.0.0.1 and the port is 3110.
On the mail server, you would need to only create one port forwarding
item, with the incoming IP address set to your mail server’s Internet IP
address, the incoming port would be 3110, and the incoming protocol
would be SSL. The outgoing IP address would be the same (the mail
server’s Internet IP address), the outgoing port would be 110 (the
standard POP3 port), and the outgoing protocol would be set to TCP.
If you performed the above three steps, starting up your email client
and checking for mail would actually go through two port forwarding
servers; the first one being on your own computer, encrypting all data
before it’s sent to the mail server. The mail server’s port forwarding
server would receive the encrypted data, and decrypt it before sending
it on to the actual mail server software. Data flowing in the other
direction would be also seamlessly encrypted and decrypted.
511
Administrator's Guide
However, if you have two Desktop Authority Port Forwarding Servers
talking to each other, you could also utilize the proprietary CSSL
protocol instead of using plain SSL. CSSL, which stands for
Compressed SSL, would also seamlessly compress and uncompress
your data as well as encrypt and decrypt it - to keep to the above
example, making your mail arrive much faster over a dialup
connection. (And also, to properly finish the laptop/email example, you
would also have to create one additional port forwarding item on both
computers for the SMTP protocol that is used to send email as opposed
to receiving it. This runs on port 25 by default.)
Port Forwarding Status
If you have configured your Port Forwarding Server as in the examples
above, you will be able to view the status of your Port Forwarding
connections by clicking on Port Forwarding Status under Server
Functions in the menu.
512
Reference
SCHEDULING AND ALERTS
Under Scheduling & Alerts you can make use of Desktop Authority’s
scripting capabilities, as well as set up a service to send you email
alerts when certain events occur on the remote machine.
This powerful feature of the Remote Manager enables you to monitor
the system based on the performance data collected.
You can also define conditions, and actions to be performed. A
condition and an associated action are known as a rule.
Use the System Monitoring option under Scheduling & Alerts in the
menu to make changes and create new rules.
A rule has the following structure:
<rule name> (delay)
{ <condition> { <action1> } else { <action2> } }
For example:
"Check Memory Usage" (10m)
{
MemUsageAboveFor(70%, 20m)
{
SendMail("administrator@company.com","Memory usage
on [MACHINE]","High memory utilization!\n""(Max:
[MAX_USAGE])");
}
else
{
SendMail("administrator@company.com","Memory usage
back to normal","See topic.");
}
}
The above rule executes every 10 minutes (delay), and checks the
condition MemUsageAboveFor. In the above scenario, if the memory
utilization is above 70% for 20 minutes or more, the condition
becomes true, and action1 is executed.
The action, in this case, will send an email to
administrator@company.com describing what has happened. The rule
will keep checking the condition every 10 minutes after the condition
has become true. If it’s still true, it does nothing – but if it becomes
false (that is, the emergency situation is resolved) it executes action2.
In that case, Desktop Authority will email the administrator to let him
know that the problem has been resolved.
513
Administrator's Guide
The action can consist of several statements – they have to be
separated with a semicolon. Such as:
MemUsageAboveFor(70%, 20m)
{
SendMail(“administrator@company.com”,“Memory usage on
[MACHINE]”,“High memory utilization!\n” “(Max:
[MAX_USAGE])”);
SendMessage(“administrator”,“High memory utilization on
[MACHINE]!\n” “(Max: [MAX_USAGE])”);
}
There is one special rule that can – and should - be defined: it’s called
ERROR. If something goes wrong while performing actions – for
example, when the user Administrator is not logged on and the above
actions are executed, SendMessage will fail – ERROR is executed,
allowing you to customize error-handling behavior.
You can enable or disable certain conditions with the dialogue that
appears when you select System Monitoring
The Edit script button lets you edit the monitoring script in your
browser.
Email Alerts
When log entries matching a certain criteria are entered into any of
the event logs you can have Desktop Authority send you email alerts
to an email address of your choice.
Email alerts will not work until you configure your SMTP server under
Preferences > Network.
Once you've set that up, you can configure email alerts according to
the following criteria:
Log
The event log to watch.
Type
Can be Error, Warning or Information. It is not necessary to specify
this field.
Source
Type in the source of the message you want to be alerted on. For
example, Security, Disk, etc. This field is optional.
Category
Type in the category of the message as it would appear in the event
log. This field is optional.
514
Reference
Event
Type in the event code as it would appear in the event log. This field is
optional.
Email
The email address the notifications are sent out to. You can only
specify a single email address per entry, so if you want several people
to receive these messages you should specify a group alias here.
Task Scheduler
The Task Scheduler differs in behavior on NT and W2K systems. On
NT, it gives you a simple interface to NT’s Scheduler. In order to be
able to view, add and delete tasks, the Schedule service must also be
running.
On W2K, it interfaces with the updated task scheduler service instead
of the old but still present Scheduler. It allows you to create multiple
triggers for a single task, specify different user accounts to run tasks
under, and so on. It supports the entire feature set of the W2K Task
Scheduler.
On the main page, you can see a list of all currently scheduled tasks.
The table shows you the following:
•
the ID of the task
•
the command to be executed
•
the time of the day the command is to be run
•
the days of the week and month on which the command is
scheduled to run
•
whether the command is interactive (that is, shows on the
desktop)
•
whether the last run of the job ended successfully
You can remove a task from the list by selecting it and clicking on the
delete button in the toolbar.
You can add a new scheduled task by clicking on the Create New Task
button. You can also check and modify the attributes of your existing
tasks by double clicking them or via the Change attributes button in
the toolbar. These attributes are organized under three tabs, with the
headings Task, Settings and Schedule.
515
Administrator's Guide
Scripting
Desktop Authority provides an extension interface in which you can
create custom scripts that interact with the system, Desktop Authority
and the user. You will be presented with a list of custom scripts, if any
exist.
Clicking on the name of the script will execute it. The Edit command
will bring up a page with the source code of the script, where you can
edit and compile your program. The Delete command removes the
script. To create a new script, enter its desired name in the input field
and click the New script button.
There are three kinds of scripts you can create:
1. Interactive
2. Quiet
3. Hybrid
Interactive scripts display their output on HTML pages, within the
Desktop Authority frameset. An example for an interactive script is the
File.sma script, which is installed with Desktop Authority. These scripts
do not have to return a value from their main function. They
communicate with the user via the htmlBeginOutptut(),
htmlEndOutput(), and various other html***() functions.
A Quiet script is one that is usually called from the System Monitoring
script. It does not display output. A return value is required at the end
of the main function. A skeleton example for a Quiet script is here:
This script does not do anything useful. It simply returns a zero value,
meaning that no problem has occurred. If you attempt to run this
script from the Script menu, you will get a message similar to this:
#include <ra>
main ()
{
return 0;
}
Hybrid scripts, on the other hand, are executable interactively and also
return a value at the end of their main function. Hybrid scripts check
the return value of the htmlBeginOutput() function, and if it’s a zero
value, the script is run in non-interactive mode. (That is, it is invoked
from the System Monitoring script, via the Small() function call.)
For a complete reference of the scripting language, please see the
Small Booklet (smalldoc.pdf) available for download from
www.scriptlogic.com.
If you have experience in programming in C or C++, and have a basic
understanding of HTML, you will be creating your own scripts in no
time.
516
Reference
ODBC Messages
Specify an ODBC Data Source and table to write messages to. The
messages are written to this database via a script defined in Scripting
and System Monitoring.
Data Source
Enter the Data Source name that will enable the database connection.
User Name
Enter the User Name that is used to access the tables using the
specified DSN.
Password
Enter the Password that is used to access the tables using the
specified DSN.
Table Name
Enter the Table that the script will write messages to.
Message
Enter the Message to be written to the database.
Computer Name
Enter the Computer Name.
Time Stamp
Enter the Time Stamp.
517
Administrator's Guide
PERFORMANCE MONITORING
The items under Performance Monitoring allow you access to the
performance data collected by Desktop Authority. Descriptions for
each of the choices can be found below. When you open this branch of
the navigation tree you’ll notice that all the items are just data pages.
They can be configured under the Scheduling & Alerts object. Select
System Monitoring
CPU Load
This option takes you to a page with a number of graphs and lists. The
graphs show CPU utilization with various sampling rates. Please note
that Desktop Authority needs time to gather performance data for
these graphs. If you have just installed the software, it is likely that
only the left-hand side of the first graph will show you meaningful
information. If you have multiple CPUs in your computer, you will see
separate graphs for each one, as well as a set of graphs showing you
the total CPU load.
The sampling rate for the first graph is 2 seconds, so the graph spans
less than an hour. This is useful to see what’s happening right now on
the machine. If you move your mouse over a line in one of the graphs,
the tooltip that pops up tells you exactly when the sample was taken.
The list at the bottom shows the processes that take up most of the
processor time. This list is weighted, so younger processes that take
up a lot of processing time come closer to the top. (The figure is:
PROCESSOR_SECONDS/PROCESS_AGE_SECONDS). So, if you see a
sudden spike on the first graph you can check the second list and
immediately find out which process is eating up processor time.
Clicking on an item in the ID column will display the relevant data on
that process, organized under six separate tabs (General, Threads,
Services hosted, DLLs, Open Files, and Registry Keys In Use).
Memory Load
This option will present you with four graphs similar to those on the
CPU Load page. These display the memory utilization on the machine.
Disk Space
Graphs displaying the disk space utilization per logical disk are
available under this menu item.
518
Reference
Drive & Partition Info
This page displays all physical drives in the remote computer and their
partition tables. This data is organized onto two separate tabs for
Physical Drives and Partitions, and Logical Drives.
Open TCP/IP Ports
This option will present you with a listing of all open IP endpoints on
the computer. You can specify whether you'd like to see the ports that
are listening for connections, ports that have been connected to
another computer, and ports in various stages of being connected and
disconnected. You can also elect to have Desktop Authority resolve IP
addresses appearing in the list of hostnames - please note that this
can take a considerable amount of time.
Network
The data displayed under Network is organized under two sections,
Inbound Network Traffic and Outbound Network Traffic.
Each option, Inbound/Outbound Network Traffic, takes you to a page
with a number of graphs. The graphs show network traffic at various
sampling rates. Please note that Desktop Authority needs time to
gather performance data for these graphs. If you have just installed
the software, it is likely that only the left-hand side of the first graph
will show you meaningful information.
The sampling rate for the first graph is 2 seconds, so the graph spans
less than an hour. This is useful to see what’s happening right now. If
you move your mouse over a line in one of the graphs, the tooltip that
pops up tells you exactly when the sample was taken.
PCI Information
If you click on PCI Information you can view all hardware connected to
the PCI bus or buses in the system.
Open Files
This option will show a listing of all files currently open on the remote
computer, along with the names of the processes using them. The
processes list is clickable, so you can view data on the processes, and
if necessary, kill them.
519
Administrator's Guide
Registry Keys in Use
Under Registry Keys in Use you can view a list of all registry keys
currently open on the remote computer. As with open files, you can
also see the names of the processes that use them. The processes list
is clickable, so you can view data on the processes, and if necessary,
kill them.
DLLs in Use
Here you can view a listing of all currently loaded dynamic link libraries
and the processes that use them. The processes list is clickable, so you
can view data on the processes, and if necessary, kill them.
DA Connections
Selecting this option will display all current connections currently being
served by Desktop Authority. It will display the IP address and host
name of the remote computer, the type of connection and the name of
the Windows NT user associated with the connection. The connection
type can be one of the following:
(Browser)
HTTP A typical browser connection requesting a page.
Remote Control
A Java remote control client.
Upload Status Viewer
A Java applet displaying the progress of a File Manager upload.
Performance Viewer
The Java applet above the menu, displaying CPU and memory
utilization.
Telnet/SSH Connections
Selecting this option will display all current Telnet/SSH connections
currently being served by Desktop Authority. It will display the IP
address and host name of the remote computer, the type of
connection and the name of the Windows NT user associated with the
connection.
520
Reference
SECURITY
The menu items under Security allow you access to Desktop
Authority’s various enhanced security features.
Access Control
Here you can control who has access to Desktop Authority. This is
slightly different on Windows 9x and Windows NT, due to lack of a user
database on the Windows 9x family of operating systems. We'll cover
Windows NT first.
Before getting into the details of setting up users here we'll look at the
lower part of the Access control page. Here you can enable or disable
the following features:
Allow full control to administrators
This is enabled by default. It adds Full Control permission to all
administrators of the computer. If you turn it off, only users
explicitly granted permission to use Desktop Authority will have
access.
NT LAN Manager Authentication
Enable/Disable NTLM authentication. For those of you concerned
about security, Desktop Authority supports the Windows NT
Challenge/Response type authentication. You must use Internet
Explorer to take advantage of this feature. Netscape will always use
the default authentication method, which means that passwords
travel in Base64-encoded clear text over the network. You need not
worry about exposing your password to eavesdroppers if you are
using HTTPS to secure all communications between your browser
and Desktop Authority.
Save user name in a cookie
Finally, you can configure Desktop Authority to remember your user
name in a cookie.
The upper portion of this dialog lists users already granted access to
Desktop Authority. The Add button lets you specify a Windows user
or group, and the access mask you wish to assign. The red Remove
button next to each entry in the list will remove that user or group
from the access list.
521
Administrator's Guide
The following list details the options available for an entry in the
permission list.
Section
Permission*
Description
Login
[R]
Anyone with any sort of access to
Desktop Authority is implicitly
granted Login access. This allows
for looking at the Info page,
reading the Help file, chatting with
the user in front of the computer,
and logging out.
Configuration
[R][W][D]
Users with access to the
Configuration module have access
to all Basic permissions plus
Computer Settings > Automatic
Priorities, Server Functions > FTP
capabilities, Performance
Monitoring > Telnet/SSH
Connections, Security > IP
configurations and Preferences.
Keep this in mind this grants users
access to modifying Desktop
Authority permissions.
Scripts
[R][W][D]
Users can execute, create, change
or delete scripts.
Event Viewer
[R][W][D]
Allows the use of the Event Viewer
module under Computer
Management.
File System
[R][W][D]
Allows the use of the File Transfer
module, Computer Management >
File Manager and Security >
Desktop Authority Logs.
Registry
[R][W][D]
Allows for editing and compacting
of the registry under Computer
Management..
Performance
Data
[R]
Ability to view performance and
system information data under
Performance Monitoring.
Processes
522
Allows access to the Process List,
and adds the ability to terminate
processes and/or change their
priorities. These items can be
found under Computer
Management.
Reference
Reboot
[R]
Allows rebooting the computer and
restarting the ScriptLogic service.
This section can be found under
Computer Management.
Remote Control
[R][W][D]
Allows use of both the screenshotbased and the Java-based Remote
Control module.
User/Group
Accounts
[R][W][D]
Allows the use of the User Manager
module found under the Computer
Management section.
System
Configuration
[R][W][D]
Allows the user access to Computer
Settings.
SSH Shell
[R]
Allows access to a command prompt
on the host computer via the SSH
protocol.
SSH Port
Forward
[R]
Grants the user rights to use SSH
Port Forwarding.
SSH Privileged
Port Forward
[R]
Grants the user rights to use SSH
Privileged Port Forwarding.
SCP
[R]
Grants the user rights to use SCP
(Secure file Copy Protocol).
SFTP
[R]
Allows the user access to the file
system of the host computer via the
SFTP (Secure File Transfer Protocol).
Telnet (DA
Client)
[R]
Allows the user to use the secured
telnet client found in the browser
under the Command Prompt item.
Telnet
[R]
Allows access to the machine via
Telnet - either using the built-in
telnet client or any standalone
terminal emulator.
Full Control
Adds all possible permissions to a user. It is
recommended to have at least one account that
has Full Control capabilities.
IP Filter
Assign an IP filter profile to the user, and specify
which IP addresses can or cannot be connected
from.
[R]
[W]
[D]
Read Access
Write (Update) Access
Delete (Remove) Access
523
Administrator's Guide
You can select individual permissions, or specify Full Control. You
can also restrict the user to an IP address or a network by creating
an IP Filter under the Security object. Select IP Filter menu. To
restrict the user to a single IP address, enter it in the IP Address
field, and leave Subnet Mask blank. To specify access from a
network, enter the network address in the IP Address field, and
enter the subnet mask in the Subnet Mask field.
Special care needs to be taken with a few of the above options.
Users with access to Configuration and Registry Editor can also
access and change the Desktop Authority configuration data,
including permissions. However, the Registry Editor option can be
considered safe, since the administrator can change permissions on
the HKLM\Software\Desktop Authority key and protect it from
unwanted access. Users who can Create/Edit Scripts can also create
programs in the Small language that run on the remote computer.
These scripts will be run under the account of the person starting
the script from the Scripts menu – except when a Small program is
called from the system monitoring script. In this case, the program
is run under the LocalSystem account.
With the exception of the Reboot, Remote Control and Processes,
Windows NT access restrictions apply. For example, you can grant
someone access to the File Manager, but they will only be able to
access files and directories their Windows NT account has
permissions to. The same goes for the Registry Editor, User
Manager, etc.
The above exception for Reboot, Remote Control and Processes is
made to provide you maximum control over your system, and
Desktop Authority uses the all-powerful LocalSystem account to
perform the above tasks. For example, not even an Administrator
has sufficient rights to terminate a service process - but with
Desktop Authority performing this action under the LocalSystem
account, any process can be terminated. Remote Control is another
exception. When you are remotely controlling the system with
Desktop Authority, you have access to the mouse and the keyboard
of the system. If nobody is logged on interactively, you will need to
use the NT Logon dialog to gain access to the desktop, typing in a
username or password, possibly different than the one you are
accessing Desktop Authority with. If there is a user logged on to the
host computer, you will be working under his account.
Access rights are cumulative. That is, if Group A has access to the
Event Viewer, and Group B has access to the File Manager, a user
who is a member of both groups will have access to both modules.
If the machine is a domain controller, the user accounts and groups
that appear are listed from its domain. If the computer is not a
domain controller, local users and groups are displayed. You can
specify where to list accounts from by typing the name of the
domain or the computer in the input field and clicking the List
accounts button.
524
Reference
You can also restrict a certain user to an IP address or an IP address
range. Please remember that access rights are cumulative: if Group
X has full access to Desktop Authority and is not bound to an IP
address and User Z is a member of that group, he will always have
full access, even if you bind him to a specific IP address or network.
To allow a user or group access from two or more IP addresses or
networks, simply grant them the same permissions several times,
but with different IP restrictions.
Access rights are stored in the registry value
HKEY_LOCAL_MACHINE/Software/Desktop Authority/Permissions in
binary form. This data is basically a listing of the Security Identifiers
of the groups or users, the access mask associated with them, the
network they might be restricted to, and a CRC value. By default,
any data under the HKEY_LOCAL_MACHINE/Software key can only
be changed by administrators or the LocalSystem account. Windows
NT reserves the latter for services and the operating system itself.
There are a few options on the lower part of the Access control
page. Here you can enable or disable the following features:
Allow full control to administrators
This is enabled by default. It adds Full Control permission to all
administrators of the computer. If you turn it off, only users
explicitly granted permission to use Desktop Authority will have
access.
NT LAN Manager Authentication
Enable/Disable NTLM authentication. For those of you concerned
about security, Desktop Authority supports the Windows NT
Challenge/Response type authentication. You must use Internet
Explorer to take advantage of this feature. Netscape will always use
the default authentication method, which means that passwords
travel in Base64-encoded clear text over the network. You need not
worry about exposing your password to eavesdroppers if you are
using HTTPS to secure all communications between your browser
and Desktop Authority.
Save user name in a cookie
Finally, you can configure Desktop Authority to remember your user
name in a cookie.
Note: Any Access Control permissions set locally on a
workstation will be overwritten by the permissions specified
in the Remote Control tab of the Desktop Authority Manager.
525
Administrator's Guide
IP Address Lockout
With Desktop Authority’s IP Address Lockout feature you can detect
and temporarily lock out potential intruders.
This security precaution allows you to configure two specific types of
filter. These are called the Denial of Service Filter and the
Authentication Attack Filter. The first is a precaution against unwanted
intruders who slow your remote machine to a halt by continuously
requesting the same service. The second locks out those who
persistently try to get past your log-in screen without authorization.
The configuration for each is identical, although the default values
differ due to the differences in the kind of attack they are designed to
prevent.
Active
By ticking this box you will enable this feature. This can be useful if
your server is exposed to the Internet. IP Lockout will prevent
people from gaining access to the administrator username and
password using brute-force methods, or from tying up your services
through relentless requests.
Number of invalid attempts before locking out
Specify the number of login attempts before a lockout occurs.
Reset invalid attempt counter after
After the amount of time specified in this box elapses, the invalid
attempt count of the offending IP address will be reset to zero.
Lock out for
If there were a number of bad login attempts from the same IP
address, as specified in the second field, within the time period
specified in the reset count field, all attempted connections from the
offending IP address will be rejected for the amount of time given
here.
Bad login attempts and lockouts are logged in the
DesktopAuthority.log file if you have logging enabled.
526
Reference
IP Filtering
With Desktop Authority’s IP address filtering feature you can specify
exactly which computers are allowed to access Desktop Authority on
your system.
The above simple interface lets you maintain IP address restrictions. If
the Current IP Address Filters list is empty, then filtering is disabled.
The Up, Remove and Down buttons let you manage already entered
filters. Select one item in the list, and move it up or down with the
appropriate buttons, or remove it altogether.
The New Item fields let you specify a new filtering item. You can enter
the following:
1. A single IP address
2. An IP address with a subnet mask, essentially granting or
denying access for a whole network.
3. An IP address with wildcards and no subnet mask. Accepted
wildcards are an asterisk (*) that matches any number of
characters, or a question mark (?), that matches a single
character only.
The Allow and Deny drop down lets you specify whether you want to
allow or deny access to the IP address or addresses entered.
Whenever a new connection is established to Desktop Authority, the
remote IP address is checked against the filter or filters in the list, and
access is granted or denied accordingly. The IP filters that you set up
here apply to every connection received by Desktop Authority, except
for those aimed at the FTP Server. To specify IP address restrictions
specific to this module you will need to use its specific IP filtering
options.
How IP Filtering works
When an IP address is checked against a list, Desktop Authority goes
from the first element of the list to the last, comparing the IP address
against the item. If the item is a single IP address, it only matches
the remote IP if they are equal. If the item is an IP address with a
subnet mask, a logical AND operation is performed on the subnet
mask and the remote IP address, and the result is checked against
the item’s network address to see if the remote IP address is in fact
on the network. If the item is a wildcard, the remote IP address is
converted to its dotted textual representation and the two strings are
compared.
When a match is found, Desktop Authority checks if it should allow or
deny the connection, based on the allow/deny flag belonging to it.
This result is then used to decide whether to let the connection
proceed.
527
Administrator's Guide
If no match is found, then the connection is allowed. If you would like
all connections to be denied by default, except for those in the list,
enter a DENY:* line as the last item on the list.
Examples:
1. Allow connections from IP address 215.43.21.12 and the
network 192.168.0.0, and deny all other connections:
ALLOW:215.43.21.12
ALLOW:192.168.0.0 (255.255.0.0) –OR- ALLOW:192.168.*
DENY:*
2. Allow connections from IP address 215.43.21.12 and the
network 192.168.0.0, but not from the address 192.168.0.12,
and deny everything else:
ALLOW:215.43.21.12
DENY:192.168.0.12
ALLOW:192.168.0.0 (255.255.0.0) –OR- ALLOW:192.168.*
DENY:*
Please note that denying the connection from
192.168.0.12 comes before allowing connections to the
192.168.0.0 network. This is because if Desktop Authority
was to find the ALLOW item first, it would let IP address
192.168.0.12 through, since it matches the condition. To
prevent this, we make sure that the address 192.168.0.12
is checked before the network to which it belongs.
3. Allow all connections, except those coming from 192.168.0.12:
DENY:192.168.0.12
4. Deny all connections from the network 192.168.0.0 except for
the subnet 192.168.12.0, and allow all other connections:
ALLOW:192.168.12.0 (255.255.255.0) –OR- ALLOW:192.168.12.*
DENY:192.168.0.0 (255.255.0.0) –OR- DENY:192.168.*
Yet again, ordering is crucial.
It is not possible for you to lock yourself out by accident
when setting up IP address restrictions from afar, i.e. you
can't enter a DENY:* clause into an empty list.
528
Reference
DA Logs
In order to view the Desktop Authority log files, this is where you'd
look.
The active log file is at the bottom of the list and is named
DesktopAuthority.log. Older logs are stored with the naming
convention RAYYYYMMDD.log. For example, the Desktop Authority log
file for June 1st 2003 would be called RA20030601.log.
You can enable or disable logging to text files as you will, but Desktop
Authority will always log the following events to the Windows NT/2000
Application Log:
1. Service Start/Stop
2. Login/Logout
3. Remote Control Start/Stop
4. Telnet/SSH Login/Logout
The Application Log is used because of security considerations.
In addition, service start and stop events are always written to the
DesktopAuthority.log file, no matter whether logging is enabled or
disabled. You can modify the settings for these logs under the
Preferences object. Select Log Settings
SSL Setup
If you set up SSL support for Desktop Authority, all traffic between the
host and the remote computer will be encrypted using industrystrength 128-bit ciphers, protecting your passwords and data. You can
do this fairly easily by going to Security and clicking on SSL Setup.
Setting up SSL support for Desktop Authority is done in four easy
steps:
•
First, you must set up your Certificate Authority (CA). This step
will create a CA certificate, valid for ten years, and self-sign it.
Simply fill out the form at the bottom of the page specifying
your country code, your organization and your name. Some
default values are provided here from your computer’s registry.
When you've finished, click on the Create CA button. This will
create the CA. Click on the Continue button at the bottom of
the page when you’re ready for the next step.
•
Second, you need to create the server certificate. Simply fill out
the form at the bottom and click on Create Certificate to
proceed. Desktop Authority will generate a certificate request,
and sign it with the Certificate Authority you created in the
previous step. The certificate created this way will be valid for
ten years. Click Continue on the next screen.
529
Administrator's Guide
•
The third step is optional: you can now install the CA certificate
in your browser. This will suppress the message you'd
otherwise get about the unknown Certificate Authority every
time you make a secure connection to Desktop Authority. Click
on the button and follow the instructions on screen.
•
Fourth, you need to restart Desktop Authority so that it can
load the newly created server certificate. You can do this from
the Control Panel or the console by typing net stop Desktop
Authority and net start Desktop Authority.
That’s it. You are now ready to make a secure connection to Desktop
Authority. Simply use a URL in the form of
https://my.machine.here:2000.
You can use the same CA certificate on several machines, but you
can't use the same server certificate in more than one place. If you
want to use one CA certificate on a network of NT machines, simply
perform step one on the first machine, then copy the files CACert.pem,
CAKey.pem and CACert.der in the Desktop Authority directory to the
other machines. You can then continue SSL setup from step two on all
other boxes. You only have to perform step three once in this case.
The SSL certificates generated here are used for accessing the HTMLbased administration module via HTTPS, and are also used by all
virtual FTP servers to secure connections if using a suitable client.
Windows Password
Select Windows Password to change the current user's windows
password. You must be able to enter the old password before it can be
updated.
530
Reference
PREFERENCES
Appearance
If you select Appearance under the Preferences object you can tailor
the look of the Desktop Authority Remote Manager to your liking.
General Settings
Display perfviewer applet at the top of the screen
Enable/Disable the Java applet showing the current processor and
memory utilization in the top frame.
Enable Tooltips
If you grow bored of the tooltips displayed by Desktop Authority,
you can turn them off here.
Enable Icons
You can turn off most of the icons displayed on the HTML pages.
Default number of items per page for long lists
The number of records displayed per page on those where there are
long lists (such as eventlogs).
Default number of items per WAP page
Most of the WAP devices out there have very small screens and
limited memory. Also, some gateways might enforce size restrictions
on the WML documents they compile for their devices. This
configuration setting lets you specify the number of records to
appear per WAP screen, where applicable. Such screens belong to
the Processes, Services, and Drivers menu options.
Systray Settings
Display the Desktop Authority icon in the System Tray
If you don't want the Desktop Authority icon to be displayed in the
System Tray, you can disable it here. Clicking on this icon gives you
access to a wealth of extra information, including a log of recent
events and detailed performance data graphs.
Custom Pages
Desktop Authority is able to act as a simple HTTP daemon and serve
files from the computer to the Web. You can customize the HTTP
daemon's behavior in the Appearance submenu under the Preferences
object.
531
Administrator's Guide
If you specify the root directory for the HTTP daemon, and the default
index file, it will display the default index file from the web root
specified.
Simply leave the directory field empty if you don't want to use custom
pages.
Network
Here you can configure your Desktop Authority connection settings,
your SMTP settings, and even Dynamic IP Support.
General Settings
The General Settings dialogue allows you to change various connection
and data transport related options.
TCP/IP port to listen on
Specify the port you want Desktop Authority to use. This takes
effect when the service is restarted.
IP Address to listen on
Specify the IP address you want Desktop Authority to use for
incoming connections. Your machine can have several IP addresses
assigned to it, and Desktop Authority can listen on all of those
addresses or just the one you specify here. This takes effect when
the service is restarted.
IP filter profile to use
Here you can select from a drop down menu of specified IP
addresses. You will first need to set this up under Security > IP
Filtering
Accept unsecured HTTP connections (non-SSL)
If this box is unchecked and SSL transport has been set up (Security
> SSL Setup) then only HTTPS connections will be allowed.
532
Reference
Broken proxy server mask
This is a rather obscure name for a setting provided to work around
a rather obscure problem.
Some proxy servers request pages from web servers using several
IP addresses. This can cause Desktop Authority to bounce you back
to the login page after you click the Login button. If you are not
affected by this problem, you should not change this setting.
However, if you experience this problem, please read the following
section carefully.
When you log in, your browser is assigned a session identifier in a
cookie. For security reasons, this cookie is only valid when sent from
the IP address from which the login originated. Were it not so, an
eavesdropping attacker would be able to copy your cookie and gain
access to all Desktop Authority resources to which you have access.
Some proxy servers use several IP addresses when requesting data
from a remote computer. If this is the case with your proxy server,
Desktop Authority sees the original IP address and session identifier
as valid, but requests originating from other IP addresses (even if
accompanied by a valid cookie) are replied to with the login page.
The login page breaks out of frames, and displays itself in your
browser - and you are prompted to log in again. A possible
workaround is to keep logging in as many times as necessary - most
proxy servers only use a few - maybe half a dozen - IP addresses.
Once all the IP addresses are logged in, you will no longer be
bounced to the login page.
Desktop Authority has had a setting called Proxy Problem Fixer. This
is essentially a mask that can be applied to IP addresses. Suppose
your proxy server uses the following IP addresses to request pages
from servers:
192.168.0.33, 192.168.0.34, 192.168.0.35, 192.168.0.36,
192.168.0.37, 192.168.0.38
In this scenario, if you look at the IP addresses in binary form, you
can see that only the last three bits are different:
11000000.10101000.00000000.00100001
11000000.10101000.00000000.00100010
11000000.10101000.00000000.00100011
11000000.10101000.00000000.00100100
11000000.10101000.00000000.00100101
11000000.10101000.00000000.00100110
533
Administrator's Guide
This means that the largest number that can be represented on
three bits (111 binary = 7 decimal) has to be masked from the IP
addresses when checking them against each other to verify the
validity of the session identifier cookie.
Desktop Authority provides a subnet mask-like setting for this
purpose. By default, it is set to 255.255.255.255 - this means that
no bits are masked off. Given the above scenario, we need to mask
off the three least significant bits, thus we subtract 7 (binary form:
111) from 255.255.255.255, which leaves us with 255.255.255.248.
By entering this value in the Proxy Problem Fixer field, we are telling
Desktop Authority to ignore the last three bits.
This is a rather tedious way of getting around the problem, but short
of reconfiguring the proxy server to use only one IP address, there
is no easier solution. The latter is the recommended solution, since
allowing several IP addresses to share the same session identifier
can be a security risk. It is not really significant when you only mask
off a few (three or four) bits, but if you need to decrease more and
more significant bits of the IP addresses, you are putting yourself in
a risky situation.
Of course, the risk can be decreased by protecting the cookie with
SSL - but this requires that you request the login page with the
HTTPS protocol and do not rely on the Use SSL switch that appears
when it is requested via unsecured HTTP.
Maximum number of servicing threads
Here you can specify the maximum number of threads Desktop
Authority can spawn to service client connections.
Idle time allowed
Here you can specify the idle time allowed on a connection before
the user is automatically logged out.
Desktop Authority is a highly configurable tool, meaning that you
can change its settings to suit your individual remote administration
needs and desires.
SMTP Settings
If you want to configure Desktop Authority to send you email alerts
you need to enter your SMTP settings here.
Dynamic IP Support
Desktop Authority can send you an email message pointing to the IP
address of your remote host every time it starts up. Use this if your
host has a dynamic IP address. Leave the recipient field blank if you
don't want to use this feature.
534
Reference
Colors
Here you can modify the colors used by Desktop Authority.
This is done using the standard hexadecimal code used by HTML.
Simply enter the ‘#' symbol followed by the appropriate six-digit
code and click Apply to see the change. For example, the pale blue
color used for backgrounds in the default color settings for Desktop
Authority is #8abdf0.
Predefined color schemes can be selected from the options in the
drop down menu at the bottom of the screen. Click Apply after
selecting a theme.
You can restore the default colors by clicking Restore at the bottom
of the page.
Display CPU and Memory utilization indicators in the System
Tray
Here you can disable or enable the little red and blue graphs that
give you instant feedback on Memory and CPU load.
Log Settings
Desktop Authority's log settings are fully configurable. In order to view
the logs themselves you would go to Security > Desktop Authority
Logs. Here, in the Preferences section you can modify the general
settings for Desktop Authority and the Syslog settings.
General Settings
Keep log files for this many days
At midnight Desktop Authority rotates its log files and deletes old,
unneeded ones. The value you enter here determines how old log
files can grow before they are deleted. If you set this to zero, the
files will never be deleted, unless you do it manually.
Directory for log files
You can also specify the directory for storing these log files. If you
leave this blank, they will be stored in Desktop Authority's
installation folder, by default.
Syslog Settings
With Desktop Authority version 5 you can also modify the syslog
settings. Here you can modify the syslog settings and specify the
syslog hostname or IP address, transport protocol (UDP or TCP),
syslog port numbers for UDP and TCP, as well as the facility code to
report. Click Apply to update your settings.
535
Administrator's Guide
Remote Control
Here you can view and modify a number of options available during
real-time remote control sessions. This includes the general
settings, audible notification, interactive user permissions, and the
remote printing feature.
Disable host keyboard and mouse
By disabling the host keyboard and mouse you can prevent the
person sitting in front of the machine from using their mouse or
keyboard while a remote control session is in progress.
Use mirror display driver
Desktop Authority provides a mirror display driver on the W2K/XP
platforms. This display driver provides a faster and less CPUintensive remote control session. Should you have any compatibility
problems, you can turn off the use of this driver by disabling this
option.
Automatically disable wallpaper
By default the wallpaper (or background desktop image) on the host
computer is disabled when a remote control session is started. If,
for some reason, you need to be able to see this, clear this check
box.
Automatic clipboard transfer maximum size
Desktop Authority features advanced remote clipboard capabilities.
Its usage is outlined earlier in this manual. Under preferences you
can specify the maximum number of kilobytes to be transferred
between machines. The default maximum is 1024 KB, but bear in
mind that transferring significantly larger amounts may cause
problems.
Idle time allowed
If the remote control client is inactive for the amount of time
specified here, it will automatically be disconnected.
Auto panning
If the host computer's display area is larger than that which the
remote control client can display only a part of the screen is shown
and you can use scrollbars to view the required area of the remote
display. With this option enabled, the screen is automatically
scrolled for you when the mouse nears the edge of the current
display area.
Lock console when connection broken
With this option enabled Desktop Authority will lock the console to
protect your work if, due to a network error, the Java remote control
client loses its connection to the server.
536
Reference
Maximum number of screen updates per second
Here you can specify the number of times the screen is updated
every second.
Use screenshot-based remote control by default
Here you can enable screenshot-based remote control, which means
that when you click on Remote Control in the menu, instead of
loading the Java applet, it will go straight to screenshot-based
Remote Control instead. You can switch to Java based Remote
Control from the toolbar, but you cannot switch back again. This
setting is useful if you have an extremely slow connection or a
browser without Java.
Audible Notification
Beep when the remote control session starts or ends
If this is enabled the host computer will beep when a remote control
session is initiated or ended.
Beep continuously during remote control
With this enabled the host computer will beep periodically when a
remote control session is active.
Beep interval
Here you can specify the time between beeps for the above setting.
Interactive User's Permission
Ask for permission from interactive user
If you turn this option off, you will disable the icon, and also any
attempts to notify the local user when someone is accessing the
computer remotely. When this option is off, none of the other
settings in this configuration screen apply. This option, when
disabled, basically tells Desktop Authority not to bother starting
RAGui.exe, the software that sits in the system tray and
communicates with the user. Disabling this option will also disable
the Chat function.
Default answer for confirmation message
Yes or No. When someone tries to gain remote control access to the
computer, and the local user does not answer the query, the remote
control session will either proceed or not, depending on this setting.
Time allowed for the interactive user to give permission
This is the amount of time specified before the notification message
times out.
537
Administrator's Guide
Text to display to the user
This is the text that will be presented to the user in the remote
control confirmation dialogue box. The string ‘%USER%' will be
substituted by the name of the user who is attempting the remote
control operation.
Remote Printing
Here you can enable or disable Desktop Authority's ability to print
remotely.
Telnet Server
This dialogue allows you to view and modify Telnet related options.
For a complete explanation of the Telnet server, please see
Computer Management.
TCP/IP port to listen on / address to listen on
Here you can specify which port / address you want Desktop
Authority to listen on for telnet connections. This defaults to the
standard telnet port of 23, and all available interfaces. Changes take
effect when the service is restarted.
Accept Desktop Authority connections (secure)
Allow plaintext terminal emulator connections to the Telnet port. If
disabled, only the built-in Java client can be used to access Telnet.
This does not affect the SSH server.
Accept Telnet connections
Specify whether telnet connections will be accepted.
Show login banner
Enable or disable the logon message sent by the Telnet/SSH servers
when a connection is established. The logon message looks like the
following:
Windows XP 5.1 (build 260) Service Pack 2
Desktop Authority Telnet/SSH Server v6.0.201
Copyright (C) ScriptLogic Corporation, 2003-2007.
Login:
If you do not want to let anybody who connects to the Telnet/SSH
ports know the version of the operating system and Desktop
Authority, disable this option.
Maximum simultaneous connections
Here you can specify the maximum number of connections to the
Telnet/SSH servers. It's a good idea to set a reasonable limit,
especially on computers connected to the Internet. Every new
connection uses resources on the computer.
538
Reference
Timeouts
Here you can set the login timeout (number of seconds the user
may remain idle during the login process), the idle timeout (number
of seconds the user may remain idle during a Telnet/SSH session)
and the session recovery timeout. When a Telnet connection is
broken ungracefully (that is, the user does not type exit at the
command prompt) it is possible to reconnect to the session and
continue work where it was left off for a period of time. You can
specify the amount of time for which you want the lost telnet
session to remain available. Any and all running programs started
by the user in the Telnet session will be available when the session
is resumed.
Desktop Authority Client
Here you can specify the number of columns and rows that the
console window will occupy. You can also specify whether you'd like
to have the client open in a new window, or in a new window in full
screen mode.
Telnet/SSH Client Default Parameters
Here you can specify the default parameters for the Telnet/SSH
client. You can also select the console mode (Stream, Full ANSI
Colors, or Full Monochrome) and enable/disable the console
parameters option.
SSH Server
As with the Preference options for the Telnet Server, this dialogue
allows you to view and modify SSH related options.
The IP and address options are the same as above, but with the
default port of 22, which is standard for SSH connections. Changes
will take effect when the service is restarted.
Features enabled
There are several options available pertaining to the SSH server.
SSH Protocol v1
Select this check box to use the SSH Protocol Version 1.
SSH Protocol v2
Select this check box to use the SSH Protocol Version 2.
SFTP server (SSH2 only)
Select this check box to use the SFTP (secure file transfer program)
server for FTP transfers.
539
Administrator's Guide
SCP server
Select this check box to use the SCP (secure copy program) server
for file copies between hosts.
Compression
Select this check box to compress data sent over the network.
Password authentication
Select this check box to activate password authentication. When
activated, the user can enter a username / password pair in the
terminal emulator client program and use that to gain access.
Keyboard-interactive authentication
This is similar to Password Authentication, but will not allow the
username / password to be saved in the terminal client.
Cross check IP and DNS entry of clients
Check this option to resolve an IP address to its corresponding DNS
entry and vice versa. For example, if the client comes from the IP
address 192.168.0.10, and this IP address resolves to COMPUTER1,
but COMPUTER1 does not resolve to 192.168.0.10, the connection
will be disallowed.
Forwarding of server-side ports
Select this check box to allow server-side ports to be forwarded to
others, effectively creating a virtual encrypted tunnel during the
duration of the SSH session.
Remote connects to forwarded ports
Select this check box to allow the ports to be forwarded outside the
server; that is, to any computer on the network the server has
access to.
Host Keys
The SSH Host Keys section lets you re-generate SSH1 and SSH2
host keys used by the SSH server. You can specify the key size, but
the larger the key, the longer it takes to generate it. Anything above
2048 bits is excessive, and will take a very long time even on a fast
computer.
Export SSH2 public host keys in SECSH format
Press this button to export the host keys and save them in your
terminal emulator. This way, you can be sure that when the
emulator connects to the computer and does not put up a warning
about an unknown host key, you are still in fact connecting to
the intended computer.
540
Reference
SSH1 Server Key
The SSH1 server key is a key that is relatively short, and has a
short lifetime. It is used in conjunction with the host key to
negotiate a one-time session key for each connection. SSH2 uses
the Diffie-Hellman keyexchange protocol to negotiate the session
key and therefore does not need one.
Privilege Separation
You can enable or disable privilege separation here. A full
description of what this means is available within Desktop Authority
by clicking on ‘What is it.' The text is reproduced here in full for your
reference.
When a user establishes an SSH session, and authentication
succeeds, the server executes applications (typically a shell process
such as cmd.exe) in the user's security context. The server needs to
execute with LOCALSYSTEM privileges to access resources required
for user authentication and impersonation,
Allowing an anonymous user to directly communicate with code that
runs with the same permissions as the operating system itself is the
primary reason remote exploits exist.
Privilege separation has been pioneered by the Unix community with
the release of OpenSSH 3.2. The main goal of this technology is to
prevent anonymous clients from exchanging information with highly
privileged software. This is achieved by serving a client with the help
of two server-side processes: one that runs with SYSTEM privileges,
and another which has practically no privileges (i.e. GUEST
privileges). The latter process is automatically spawned by the
privileged parent. The unprivileged child processes all network data
and handles communications with potentially untrusted clients. It
relies on the parent process to perform tasks that need privileges,
and communicates these requests through a well defined and very
simple interface. This way both sides must agree that the client has
authenticated before it is granted further access, and even if the
unprivileged child is compromised, the intruder cannot gain access
to, let alone modify, valuable information.
OpenSSH runs the unprivileged process in the context of a special
user account. When you enable SSH Privilege Separation in Desktop
Authority, this user is automatically created and its access rights are
minimized on the file system and the registry. This usually requires
several minutes, especially on large file systems. This special user
has very limited rights: only "execute" permissions in the System32
directory, and "read" rights to a minimum set of registry entries.
These permissions are required by Windows to execute any and all
software. All other access rights are explicitly denied for the special
user account.
541
Administrator's Guide
The Privilege Separation User is created under the name
__ra_ssh_privsep__. It is maintained by Desktop Authority and you
should not modify the account, its group memberships or any other
related security settings. This user is created with GUEST privileges,
its password is set to a cryptographically random string that is as
long as system policies allow. The user account is disabled by
default. When Desktop Authority accepts an SSH connection, it
changes the user's password, enables the account, logs the user in,
stores it's access token handle, resets the password again - and
finally disables the user account until it is needed again.
WARNING!
Only NTFS file systems allow the required access rights to be set.
When you install a new hard drive in your computer, Windows
grants full access to the "everyone" group to the new harddisk and
all of its contents. On such occasions you should use the "Check
rights" feature on the SSH Configuration page to set the correct
access permissions on your system.
Local or domain security policies might restrict local logins. Desktop
Authority attempts to explicitly grant the Privilege Separation User
local login privileges in the local security policy - however, if domain
policies override the local security policy, the __ra_ssh_privsep__
user might not be allowed to log in. In this case, Privilege
Separation should be disabled or the domain security policy should
be changed to be less restrictive.
542
Reference
CUSTOM PAGES
Desktop Authority is able to act as a simple HTTP daemon and serve
files from a specified directory. The default Custom Page path and
index file is defined in the Custom Pages section in the the
Preferences object. See Appearance. All other custom pages are
reached from a link on the Custom HTTP default index file.
543
Administrator's Guide
WAP AND PDA INTERFACE
Desktop Authority supports limited access via wireless devices using
the Wireless Application Protocol (WAP). These devices are usually
mobile phones, with limited screen size, limited memory, and limited
processor capacity. For this reason, they do not understand HTML –
pages displayed on WAP devices are written in WML, which is based on
XML. Graphics are simple black-and-white images.
When you access Desktop Authority via the WAP interface, you are
prompted to log in. Enter your username and password using the
phone’s controls then click the OK link. If Desktop Authority does not
recognize your WAP device as such, it might cause your WAP browser
to display a message regarding unknown content, a compile error, or
something similar. In this case, you can edit the contents of the
WapClients.cfg file found in your Desktop Authority directory to make
the user agent known as a WAP device. Further information on the
format of the file is found inside. It is a plain text file and can be
edited using any text editor.
Security Precautions
With HTTP and the browser interface, you have a fairly simple job
securing your communication: simply create an SSL certificate, install
the certificate in your browser, and use HTTPS as the protocol.
With the WAP interface, things are more difficult, since your phone
does not directly communicate with Desktop Authority. WAP devices
connect to a WAP gateway that acts like an intelligent proxy server:
1. The phone issues a request to the gateway. The phone and the
gateway communicate via UDP (connectionless IP).
2. The gateway issues an HTTP or HTTPS request to Desktop
Authority and waits for the reply.
3. The gateway compiles the received WML into bytecode and
sends it to the phone.
544
Reference
While this is of no concern when browsing WAP pages for stock quotes
or weather forecasts, it raises two issues when a secure connection is
required:
1. The phone must be able to communicate with the gateway via a
secure channel. This is done via the WTLS protocol that
requires that the phone ‘trusts’ the gateway – that is, it has its
WTLS certificate installed.
2. The gateway must be able to communicate with Desktop
Authority via HTTPS. This requires that the gateway ‘trust’ the
Desktop Authority installation in question – it should have its
certificate installed.
When using a commercial gateway (such as the ones provided by cell
phone companies) the first issue is usually not a problem. However,
your cell phone provider will probably not install your self-generated
Desktop Authority certificates, so the secure connection between the
gateway and Desktop Authority will not be established.
When accessing Desktop Authority from your phone, always use the
HTTPS protocol by specifying HTTPS:// in the beginning of the URL.
This will encrypt the data sent and received between the gateway and
the Desktop Authority installation.
Here is a brief description of how to configure a Nokia7110 to use a
WAP gateway:
•
Select the Services menu. Select Settings. The 7110 allows you
to store 5 different sets of WAP connection settings. Highlight
the current settings, or one of the unused settings on the
phone, and select Options. Select Edit to edit the selected
settings.
•
Homepage should be set to the Desktop Authority installation
you most frequently access - or any other WML page. You can
use the Bookmarks feature of the phone to store your Desktop
Authority URLs.
•
Connection Type should be set to Continuous.
•
Connection Security should be set to On, this will encrypt the
data sent and received between the phone and the gateway.
•
Bearer must be set to Data.
•
Dial-up number must be set to the phone number of your dialin server.
•
IP Address must be set to the address of your WAP gateway.
•
Authentication type can be set to either Normal or Secure,
depending on the configuration of your dial-in server. This
setting specifies how the username and password are sent to
the dial-in server, and does not have any affect on actual WAP
communications.
545
Administrator's Guide
•
Data call type can be set to either Analogue or ISDN,
depending on your mobile operator network and the type of
dial-in connection that you will be using.
•
Data call speed can normally be left to Autobauding.
•
User name specifies the user name associated with your dial-up
connection.
•
Password specifies the password associated with your dial-up
connection.
•
Once you have configured all of your settings, use Back to
return to the previous level of menus, and then Activate your
configuration.
Info Screen
You will be greeted with an Info screen that displays some essential
information about the computer.
At the bottom of this screen (and at the bottom of every screen) you
will find the main menu that allows you to select Desktop Authority
functions accessible via the WAP interface.
The Menu
The menu, at the bottom of the screen looks like the image on the left
(only partially shown):
Here is the complete list of menu options:
1. Main Menu
2. Services
3. Drivers
4. Processes
5. Performance Monitoring
6. Reboot
7. Event Viewer
8. Logout
A link to this menu is present at the bottom of every page displayed by
Desktop Authority.
Services & Drivers
You see a listing of all installed services, with their status next to
them. Selecting a service takes you into a menu that allows you to
control that service:
546
Reference
On the services listing page, near the end, you can request different
parts of the list.
The Drivers page looks and behaves exactly like the Services
page.
Processes
The Processes page has three options, as shown in the image on the
left.
The first two will let you see a listing similar to the Services or Drivers
lists – next to the process name you will see either the CPU time used
by the process or the Memory in use by the process, depending on
your selection:
Selecting a process will display detailed information about it, such as
the executable name with full path, the parent process, if available,
the creation time, CPU time, pagefile and physical memory usage, as
in the image on the left.
You also have the option of killing a process here.
The third option in the Processes menu is the Create Process one. This
will present you with the following dialogue:
Filling out this form and submitting it launches a new process under
the user account of the person using the WAP device. You can use this
for a variety of tasks, such as executing batch files:
Executable Name: cmd.exe
Optional Parameters: /C c:\backup\startbackup.cmd
This will launch the command interpreter, which, in turn, will launch
the startbackup.cmd batch file in the c:\backup directory.
Performance Monitoring
On the performance pages, you can view graphs on the CPU, memory,
and disk space utilization. The main menu looks like the image on the
left.
By selecting either of these options, you are presented with three
graphs, each with a different sampling rate – just like in the main
Desktop Authority performance charts.
The CPU load represents the total CPU load on multiprocessor
machines. The memory load includes physical and virtual memory. The
disk space utilization chart represents the total for all harddisks in the
computer.
547
Administrator's Guide
Reboot
This option presents you with a menu similar to that found in the HTML
interface.
The first three selections reboot the computer. Normal reboot shuts
down all applications. Emergency reboot kills all processes then shuts
down and restarts the system in an orderly fashion. You might lose
data in your running applications. Hard reboot is just like pressing the
reset button or toggling the power switch: use this only as a last
resort!
The last selection restarts the Desktop Authority service.
Event Viewer
This option enables you to view Desktop Authority’s event viewer. You
will be given a list of event viewer options as in the image on the left.
Logout
This menu option ends your Desktop Authority session.
It is not strictly necessary to manually log out – your session will
eventually time out after the time period specified in the Desktop
Authority configuration elapses.
548
Reference
Reference
DESKTOP AUTHORITY API
The Desktop Authority API is a documented set of functions, variables
and supplemental utility programs that allow you to fully harness the
capabilities of Desktop Authority through custom scripting.
The Desktop Authority API can be broken down into four categories:
Functions: Wrap many lines of KiXtart code (and supplemental
utilities) into a single line of code, for easy insertion into your custom
scripts. Many of the Desktop Authority API functions are direct
replacements for native KiXtart functions -- and they can overcome
the security restrictions of the user logging on.
Dynamic Variables: Globally defined variables in the Desktop Authority
engine. These variables are used by the engine itself and can be used
in custom scripting.
Utility Programs have been developed to expand upon the built-in
functionality of KiXtart. These tools are often wrapped by API
Functions eliminating the need to execute them directly.
549
Administrator's Guide
DESKTOP AUTHORITY API - DYNAMIC VARIABLES
Predefined Dynamic Variables can be used to aid in the creation of
configuration elements. These variables are globally defined and used
by Desktop Authority during the client logon process. Using them is
helpful, if not a necessity, when writing custom scripts.
Dynamic Variables can be used in virtually every field within the
Desktop Authority manager, including those fields with built-in lists.
Simply press the F2 key to display a dialog that allows the selection of
a predefined variable from a visual list. The dynamic variable will be
inserted at the current position of the cursor.
These variables are available for a few different categories:
Applications Variables
Date and Time Variables
Folder and Disk Variables
Messaging System Variables
Network Variables
Operating System Variables
Security Variables
System Variables
A complete list of Desktop Authority's predefined variables can be
found on the ScriptLogic web site.
550
Reference
DESKTOP AUTHORITY API - FUNCTIONS
The Desktop Authority API functions are designed to streamline your
custom scripts by reducing the amount of code you must write. They
will also allow you to overcome security limitations of the user.
A complete list of the Desktop Authority API functions can be found on
the ScriptLogic web site.
551
Administrator's Guide
LIMIT CONCURRENT LOGONS
Since Desktop Authority executes during the logon process, which is
before the user has control of their desktop, you have the ability to
forcibly log off the user if you detect they have logged on too many
times.
To Limit Concurrent Logons, you must:
Share each user’s home directory.
The task of sharing each user’s home directory as well as
specifying the maximum number of connections can be
daunting if there are a lot of users for which this must be
done. ScriptLogic’s AutoShare utility can help. AutoShare will
simply share all users' home directories at the click of a button.
Configure user logon maximums.
Since the Concurrent User Limit is applied individually to each user's
share, you can configure your users to have different concurrent logon
maximums while other users (such as Administrators) have no limit.
This is done by setting the maximum number of connections in the
properties dialog box for the share of the individual’s user folder.
AutoShare can also be set to accomplish this task.
552
Reference
Provide a drive mapping in Desktop Authority.
Using the Drive Mappings object within the Manager, map a drive to
each user’s Home Directory.
Example:
Map drive H: to the shared folder \\$HomeServer\$HomeDir\
Set the concurrent logons limit.
Tell Desktop Authority what drive letter you are mapping to the user’s
share. Do this by selecting the Limit concurrent logons by
monitoring the share mapped using drive check box on the
General object.
553
Administrator's Guide
Once configured, Desktop Authority will immediately log off any user
that attempts to concurrently log on more times than they are
allowed.
554
Reference
ROOT MAPPING HOME DIRECTORIES
The Root Mapping concept originates from the Novell Netware
operating system. It allows a drive to be mapped to a directory that
looks and acts like a root directory instead of a subdirectory. Unless
you have Windows 2000 clients or have the Distributed File System
(DFS) installed on your NT4 Servers, the Windows 95/98/NT4*
operating system will only allow you to map (net use) a drive letter to
a share – not to a folder beneath the share, as home directories are
usually created.
Root Mapping to the user’s home directory provides a simple path to
the directory. Since all other users’ home directories on the drive are
invisible to the user, there is no confusion as to where the directory is.
The user does not have to scroll through a list of folders to search for
their own folder. This makes it faster to find what they are looking for.
For example, using Desktop Authority, you can “root map” drive letter
H: to each user’s home directory and then have Microsoft Office
open/save paths default to H:\Documents; you can redirect Internet
Explorer’s bookmarks to H:\Bookmarks; you can create
Outlook/Exchange mail profiles on-the-fly and store the personal
address book and/or personal folders on H:\Exchange; and you can
redirect all your shell folder pointers to H:\ShellFolders. Simply put,
you end up with the ability for any user to logon to any machine and
retrieve all their settings -- without a visit from the network
administrator and without using Roaming Profiles!
555
Administrator's Guide
Step 1
Create a base share point for your user's home directories.
Open Window's Explorer on the server to house home directories.
Create a folder called "Users".
556
Reference
Right click the Users folder you just created and select the Sharing
tab. Share this folder as "Users".
557
Administrator's Guide
The folder should now look like the following in Windows Explorer.
Note: You may elect to have multiple base share points
spread across one or many servers. Since Desktop Authority
can use dynamic variables when mapping drives, you will
only need a single entry on the Drive Mappings object to
accommodate any configuration you wish. If you have
hundreds or thousands of users, you may want to create a
more complex "user tree". For example: You may create a
"users" folder. Under the users folder, you create "faculty"
and "students". Under the students folder, you create
"sophomores", "freshmen", "juniors" and "seniors" folders.
In this more complex example, the (4) sub-folders of
"students" would be the base share points.
558
Reference
Step 2
Create your users with User Manager for Domains (UMD), or Active
Directory - Users and Computers if you have Windows 2000/2003
Domain Controllers.
When creating users with UMD, the key element to root mapping home
directories is how you populate the fields of the Profile page for each
user.
If you’re ultimate goal is to map drive letter H: to each user's home
directory, choose a different letter here in UMD.
Now specify the path to the user's home directory. Notice in the
example above there are three logical pieces to the user's home path
(\\server1\users\%username%), each separated by a backslash.
The Desktop Authority dynamic variable for this entire home share
string is $HomePath. Separating this path into three logical pieces,
the first piece "\\server" is the name of the server that contains the
base share point we created in step 1 (The Desktop Authority dynamic
variable, less the leading backslashes is $HomeServer). The second
piece "users" is the base share point (Desktop Authority dynamic
variable: $HomeBase). The last piece is the actual home directory for
the user (Desktop Authority dynamic variable: $HomeDir). UMD will
automatically translate the %username% environment variable to the
user's logon name when you press OK to exit this screen.
When you press OK and save the user, User Manager for Domains will
automatically create the user's home directory based on the
information entered in this dialog. NT/2000 will only grant the user Full
Control NTFS permission to their home directory. While this is done for
security purposes, this typically presents two problems:
559
Administrator's Guide
1. Even as an administrator you don't have NTFS rights to this
folder so you can't share it, and
2. Your third-party tape backup software may not be able to
backup the documents in your user's home directory if it
logs on with an Administrator account.
To overcome these two problems, you must grant NTFS permissions to
an administrative group so that you can share the user's home
directory, and allow your third-party backup program to read any
documents stored in this directory.
After you grant Full Control NTFS permissions to each users home
directory for your administrative group, you can then share each
user's home directory.
560
Reference
Step 3
Apply NTFS permissions and share each user's home directory.
To completely automate the application of NTFS permissions and
sharing of each user's home directory, we created a utility called
AutoShare. AutoShare consists of two components: The AutoShare
Manager which is the intuitive GUI interface for managing your
configuration and the AutoShare Service, which runs as a service on
one or more NT/2000 servers.
Without AutoShare, you'll need to use Windows Explorer to manually
change the NTFS permissions and share each user's home directory.
To accomplish this task using the manual method, launch Windows
Explorer and expand the Users folder to show the users home
directories beneath it. Right click on each user home directory and
select Properties. Then select the Security tab.
561
Administrator's Guide
Add your administrative group (e.g. Domain Admins) to the list with
Full Control rights.
562
Reference
Apply and then select the Sharing tab.
563
Administrator's Guide
For security, it is recommended that when you create shares for each
user's home directory, you make them hidden shares. A hidden share
does not show up when your clients browse the network using
Windows Explorer and/or Network Neighborhood. A hidden share has a
dollar sign appended to the end of the actual share name.
564
Reference
Step 4
Configure Desktop Authority's Drive Mapping object.
Now that the user and their home directory have been created,
secured and shared, we can configure Desktop Authority to map a
drive letter to the "root" of their home directory.
Launch the Desktop Authority Manager, from Profiles, select the profile
and then the Drive Mappings object. Insert a new configuration
element.
Specify drive H for the drive letter and a shared folder of
\\$HomeServer\$HomeDir$$.
Notice how we leveraged the use of Desktop Authority's dynamic
variables so that a single entry to the Drive Mappings object will
accommodate mapping a drive letter to each user's home directory no
matter how many servers and/or base share points exist on your
network.
Also, note the use of the trailing double dollar sign. This is due to the
way in which the KiXtart engine interprets strings during execution.
Since dynamic variables begin with a {$}, we enter a double dollar
sign {$$} so that KiXtart knows we don't want to insert a variable at
this point -- we simply want a dollar sign appended to the share (i.e.
hidden share).
Save the changes, replicate and exit. Logon from a client to verify your
home mapping works as expected.
**Windows 95, 98, Me and NT4 clients are no longer supported.
565
Administrator's Guide
IMPLEMENTING A POOR MAN'S PROXY
The ability of Desktop Authority to control proxy settings can even be
beneficial even if you don't have a proxy server on your network. With
a little creativity, you can create a "Low Budget" proxy which prevents
users belonging to a specific group from browsing the Internet.
Implementing this is a simple process. Follow these steps:
1. Create two domain groups. Call them InternetAccess and
NoInternetAccess.
2. Select the Internet Explorer Settings object. Insert a new
configuration element and configure the proxy settings for the
NoInternetAccess domain group. Enable the use of a proxy
server by selecting the Use a proxy server check box. Enter
an invalid TCP/IP address (or the address of your Intranet
server) as the Proxy Server address.
By selecting the Bypass proxy server for local addresses
check box, you could allow access to a small list of
company/business related sites.
Set the Validation Logic Type to Group Membership with a
Value of the NoInternetAccess domain group.
3. From the Internet Explorer Settings object, highlight the
newly created element and copy it (CTRL+C). This will create a
new Internet configuration element and select it for edits. Clear
the Use a proxy server check box.
Set the validation logic type to Group Membership with a value
of the InternetAccess domain group.
4. The final step is to define a security policy that will disallow a
user from changing the proxy server configuration.
Select the Security Policy object. Insert a new configuration
element and configure the Internet Explorer: Disable changing
proxy settings policy.
Select Enable from the Enable/Disable list.
Select Internet Explorer from the Category list.
Select the Internet Explorer: Disable changing proxy settings
from the Policy list.
Modify the default Validation Logic to apply this policy for Group
Membership, NoInternetAccess.
566
Reference
DESKTOP AGENT
What is the Desktop Agent?
Desktop Authority provides the ability to execute programs when
Windows shuts down, restarts or logs off. This happens with the help
of the Desktop Agent. The Agent is a program that sits idle in the
system tray until a shut down, restart or log off event occurs. When
one of these events are triggered, the Agent will seamlessly invoke
any queued applications, shell scripts, or service pack installations.
Custom Scripts may also be executed at this time providing an
unlimited array of functionality.
Configuring the Desktop Agent
To configure the Desktop Agent, select the Desktop Agent object
under Global Options.
Desktop Agent Client
The Desktop Agent client is an application used to launch specified
programs when the client logs off or shuts down the computer. The
client side of the Agent also provides several options to control the
workstation. The user may Shut down, Restart, Logoff or Lock the
workstation if the agents icon is displayed in the system tray. Simply
right-click on the icon for the shortcut menu.
567
Administrator's Guide
About
Select About from the shortcut menu to see version and copyright
information regarding the Agent.
Shutdown
Select Shut down from the shortcut menu to shut down the
workstation.
Restart
Select Restart from the shortcut menu to restart the workstation.
Logoff
Select Logoff from the shortcut menu to log the current user off of the
workstation.
Lock Workstation
Select Lock Workstation from the shortcut menu to lock the
workstation. Pressing CTRL-ALT-DEL will allow the user to unlock the
workstation.
Screen Saver
Select Screen Saver from the shortcut menu to bring up the screen
saver as if the computer was inactive. The computer will not be locked.
Delay Inactivity Detection
Select Delay Inactivity Detection from the shortcut menu to set the
workstation in order to change the inactivity detection time. This may
be needed if the user is running some procedure or application on the
machine that will make the computer appear to be inactive because of
no user interaction. This can occur, for example, if the computer is
running a video that does not require user interaction. Enter the
number of minutes that inactivity detection should be delayed for.
568
Reference
OPTION FILES
There are several ways to control the mode in which Desktop Authority
executes on the client workstation. This is done with the use of option
files that may exist on workstation.
What is an option file?
An option file is simply an ASCII file created using any text editor,
including Microsoft’s Notepad. The file has no contents and the
filename has no extension.
Creating an option file
The easiest way to create a special option file is using Windows
Explorer. Right-click in the appropriate folder. Choose New and select
Text Document from the shortcut menu.
When using Windows Explorer (New / Text Document) to create a
Special Option File, make sure you deselect the Hide file extensions for
known file types option under Folder Settings. This will allow you to
create the file without the ".txt" extension.
Security Concerns
To tighten overall security and prevent users/students, etc. from using
these special option files to change the behavior of Desktop Authority,
you can disable them in the Desktop Authority Manager. This is done
in the Global Options Visual, Exceptions and Troubleshooting objects.
Clearing the check box disables Desktop Authority from determining if
the corresponding option file exists.
SLNOGUI
The presence of this file, (SLNOGUI., no file extension) specifies the
selected visual startup option displayed during the logon process is
overridden with a textual version of the logon window. If there are
problems with any Desktop Authority client configurations, use this
option file to figure out what in the logon process is problematic. The
use of this file requires the Allow any client to override this
setting and always display the text logon screen option to be set.
This is done on the Visual object within Global Options.
To turn the SLNOGUI mode on for all clients without the use of this
file, select the Display Text Logon check box on the Visual object
within Global Options. Setting this global option provides the text
dialog for all workstations.
569
Administrator's Guide
This feature can be enabled for either a specific user or a specific
workstation by using this special option file. To enable this feature for
all users logging in from a specific workstation, place this file in the
root directory of the workstation’s hard drive. To enable this feature
for a specific user regardless of which machine they logon from, place
this file in the user’s home directory.
SLBYPASS
The presence of this file, (SLBYPASS., no file extension) allows you to
exclude certain computers from ever executing Desktop Authority
regardless of the options selected in the Desktop Authority Manager.
The use of this file requires the Allow any client to selectively
bypass Desktop Authority execution option to be set. This is done
on the Exceptions object of Global Options. If this file is present on
the client, the Desktop Authority Pre-Flight-Check (SLOGIC.BAT), will
detect its presence and immediately exit before launching the main
script engine and/or applying any configuration changes to the client.
To enable this feature for all users logging in from a specific
workstation, place this file in the root directory of the workstation’s
hard drive.
SLNOCSD
The presence of this file, (SLNOCSD., no file extension) allows you to
exclude certain NT based computers from automated Service Pack
installations, regardless of the Validation Logic applied to the Service
Pack configurations by the Desktop Authority Manager.
If this file is present on the client, Desktop Authority will NOT install
the Service Pack to the client, regardless of whether or not the
user/computer satisfies the criteria specified by the Validation Logic
settings for the Service Pack.
To enable this feature for all users logging in from a specific
workstation, place this file in the root directory of the workstation’s
hard drive.
570
Reference
REPLICATION TO NETLOGON
Replication is the process of publishing Desktop Authority
configurations from a source location to the NETLOGON share of all
target domain controllers. Using a replication process allows a single
"master" copy of the configurations to be maintained in a centralize
location.
The following files are published during the replication process.
File
Description
sld
Profile Description files
slp
Profile configuration files
Antivirus40.kix
asee.dll
config.dat
DAUSLoc.dll
DAUSLocCOM.dll
This ScriptLogic custom script has
been designed to prevent VBscript
and other scripted viruses from
executing on your clients. This
proactive approach is achieved by
disassociating certain file type
extensions from Windows Script
Host.
ASEE Dynamic Link Library, v.
1.2.14.0
Anti-spyware SDK (definitions) file
Client-side portion of the Update
service. All client-side
communications go through this
component.
COM wrapper for DAUSLoc.dll.
KX16.DLL
KiXtart runtime dll's needed for
communication with NETAPI.DLL
in Windows 95 and 98.
KX32.DLL
KiXtart runtime dll's needed for
communication with NETAPI.DLL
in Windows 95 and 98.
KX95.DLL
Client side of the KIXRPC service.
msvcp71.dll
Microsoft® C Runtime Library, v.
7.50.3077.0
571
Administrator's Guide
msvcr71.dll
profiles.sl
Profile listing
psapi.dll
Process Status Helper, v. 4.00
Q245148i_09.exe
Winlogon Service Update for
Windows NT 4.0 Service Pack 6
shfolder.dll
Microsoft Shell Folder Service
slAgent.dll
ScriptLogic COM object agent that
runs as a local service on the
client to monitory inactivity, run
as admin capability among others.
This is displayed as an icon in the
system tray.
slAgent.exe
ScriptLogic COM object agent that
runs as a local service on the
client to monitory inactivity, run
as admin capability among others.
This is displayed as an icon in the
system tray.
slAPIEng71.dll
slAse.exe
ScriptLogic API engine used for
Data Collection
(Hardware/Software Collection)
Anti-spyware client service
slDataCollection.dll
ScriptLogic Data Collection script
SLengine.dll
Desktop Authority engine which
processes the configuration
profiles.
slMapiEx.dll
Desktop Authority dll responsible
for processing Outlook Mail
Profiles.
SLogic.bat
Desktop Authority's logon script
SLPdefault.SL
Default ScriptLogic Profile
SLPDefault.sld
Default ScriptLogic Definitions file
daUpdateClient.exe
slScanEngine.exe
572
Microsoft® C Runtime Library, v.
7.50.3052.4
Update service client object
Patch Management Scan Engine
which scans for installed and not
installed patches
Reference
slSigs.ini
Desktop Authority signature file
used to verify that the
configuration profiles and
definition files are correctly signed
slStart.exe
Runs with Desktop Authority
engine to process the
configuration profiles.
SLstart.ini
Client configuration file for
ScriptLogic Engine and COM
Object
Syg.dat
VarDefs.sl
wKiX32.EXE
xdel.exe
Anti-spyware SDK (definitions) file
Global variable definitions
Console-less version of KiXtart
program file.
ScriptLogic utility to delete all files
in a folder (and optionally recurse
subfolders.
573
Troubleshooting
TROUBLESHOOTING
Before calling Technical Support
Before contacting Technical Support, gather the information suggested
below and follow the basic troubleshooting techniques, search our
online Knowledge Base or post a message in our online Discussion
Forums.
If you cannot find the solution to your problem, fill out the Ask Support
online form for direct email correspondence with our Technical Support
team.
The following information is needed prior to contacting technical
support:
•
What version/build of Desktop Authority is installed? Check the Version
History on the support web site to see if the problem you’re encountering has
been addressed by an update.
•
Verify the Desktop Authority setup program was run on the Operations
Master (PDC).
•
Launch the Server Manager applet from the Desktop Authority manager.
Verify that the ScriptLogic service is started (green LED).
•
Verify that SLOGIC is entered in the Logon Script field of the user’s
properties\profile page in User Manager for Domains.
•
Gather details about the problem — What is the client OS? What Service
Pack? If 95/98, what version? Are user profiles server-based (roaming)? Are
you using Microsoft Policies?
•
The Windows 95 Operating System accounts for the majority of the technical
support calls we receive. There are many releases of 95 and due to the age
of the OS. Often systems DLLs are found to have been outdated by other
application installations.
•
Older versions of Anti-virus software have been known to interfere with
applications. What AntiVirus program is installed?
•
If Novell's Client32 is installed on Windows 9x systems, what is the network
call order? Change the order to make the MS client first? See
Knowledgebase Article T0006 for help with changing the call order.
•
Does the problem follow a specific user from computer to computer or is the
problem specific to an individual computer?
574
Troubleshooting
•
If the problem exists on individual computer(s), determine whether the
problem effects one computer, a few computers (small percentage of the
total), or all computers.
•
What do the clients experiencing the problem have in common?
•
After gathering all information, use the Search feature on our website,
www.scriptlogic.com/support, to locate key words based on the entire site,
including FAQs, TekNotes, Custom Scripting, etc.
575
Administrator's Guide
BASIC TROUBLESHOOTING TECHNIQUES
Desktop Authority does not execute at all:
If Desktop Authority does not execute when the user logs onto the
network and the logon script designation has been verified to be set
to SLOGIC, try creating a file called "Test.bat" in the scripts folder
on the Operations Master.
The file should contain the following three lines:
@echo off
echo This is the %0 logon script.
pause
At the time of the logon, if this test logon script executes properly, a
command window will open containing the following:
This is the \\aserver\NETLOGON\test.bat logon script.
Press any key to continue. . .
After creating this test logon batch file be sure to replicate it and
assign it to a user. Have the user log on again. Does this simple
logon script execute?
If it does not execute, the problem is most likely an OS issue and
not a Desktop Authority issue. Check Microsoft's TechNet for
possible resolutions to this problem. There are a few Knowledgebase
Articles on the ScriptLogic website, mainly relating to Windows 95,
which may help to resolve this problem.
576
Troubleshooting
Desktop Authority executes sometimes:
This is most often a problem with replication. Verify that replication
is configured correctly to propagate Desktop Authority to all DCs,
and that after replicating, Desktop Authority exists in the
NETLOGON share of all DCs. From the OS Start Menu, choose Run
and type \\DCname\NETLOGON. Do you see SLOGIC.bat? Repeat for
each DC.
If replication appears to be configured correctly in the Desktop
Authority manager, but replication does not propagate the scripts to
all DCs, verify that Administrators have Full Control permissions to
the NETLOGON share.
If you have NT's Directory Replication configured, make sure its
distribution flow does not conflict with the distribution flow
configured within Desktop Authority. Consider turning off NT
Directory Replication on all your Domain Controllers - it is excess
overhead you probably don't need -- Make your changes using the
Desktop Authority manager and then immediately publish (replicate)
those changes using the Desktop Authority manager.
Drive Mappings (and other functions) do not work on
Windows 9x clients:
If you are mapping drives based on group membership, this problem
is often caused by the Windows 9x client not resolving group
membership properly. If group membership is not resolved properly,
all other functions (messages boxes, printer capture, MS Office
paths, etc.) will fail due to the same reason. This is most commonly
caused by the ScriptLogic service not installed to, and started on, all
Domain Controllers.
To immediately confirm this is the problem, enter a single asterisk
{*} instead of selecting a group from the for the validation logic
type value. An asterisk means "Everyone" and Desktop Authority
will not attempt to resolve group membership before mapping the
drive.
If using an asterisk {*} works correctly, review Knowledgebase
Article T0023 for causes and corrective measures.
If you are performing an action based on OUs, the problem may be
that the Windows 9x clients are not pulling the AD/OU information.
By default, Windows 9x does not obtain Active Directory
information. In order for 9x machines to access the AD/OU
information, the Active Directory Client Extension (DSClient) from
Microsoft must be installed.
577
Administrator's Guide
Script Errors Out:
A script error is usually indicated by a "beep" during script execution
- prior to the progress bar reaching 100%.
Disable all custom scripts by selecting all custom scripts in either or
both of the Pre-Engine or Post-Engine scripts configuration list. On
the validation logic tab, select the Disable this element
regardless of validation check box. If this solves the problem the
next time the user is authenticated, there is probably a syntax error
in one of the lines of a custom script.
If this does not solve the problem, create a file called SLNOGUI
(with no extension) in the root of the system drive of the client
machine you are logging on from. Logoff and logon again. When
Desktop Authority detects this file, it will turn off the graphic
progress indicator and show you what's happening during the logon
process. If SLNOGUI helps, but the script still generates an error
(that flashes on the screen too fast to read), rename the SLNOGUI
file you created to SLDEBUG. This is similar to the SLNOGUI file, but
will pause before each function is executed. When in debug mode,
press the [Enter] key to continue, the [D] key to disable debugging
for the rest of the script, or [Q] to immediately quit the script.
If still unable to resolve the problem, Email us the client
configuration file for the profile generating the problem and any preengine or post-engine custom scripts files as attachments. Include
problem description, steps taken and all details gathered in step 1.
Script does not complete, hangs, or generates a
GPF/Dr.Watson:
NT/2000 Clients - possible corrupt profile: If the problem appears to
be specific to one user and only when they logon from one
computer, logon as a different user and delete the local profile of
the user experiencing the problem.
9x Clients - possible outdated/corrupt system DLLs: If the problem
happens on only a small percentage of the total clients, the old
"Windows Refresh" may by necessary (it would probably be faster
than spending days trying to figure out which system DLL is the
problem).
After completing the basic troubleshooting steps outlined in this
document, submit your problem report using the Ask Support form,
located on the ScriptLogic support web site.
578
GLOSSARY
A
AD: The shortened name for Active Directory Users and Computers.
C
client: A computer connected to the network.
computer name (NetBios): A unique name (up to 15 characters long) assigned
to a computer for identification purposes.
custom scripts: (ScriptLogic) A KiXtart script written to provide a customized
solution.
D
DACONFIGURATION:
DAREPORTING:
domain: A collection of resources including computers, printers, etc. grouped
together to form a single networked environment.
Domain Controller: A server that authenticates and manages network logons.
drive mapping: The redirection of a network directory to a local drive letter on
the client.
dynamic variables: (ScriptLogic) Variables that are used to temporarily store
values that are used at a later time in a KiXtart script. The values of these
variables change according to the user that is logging on to the network.
G
Group: A collection of users, computers, and other groups used to manage
access to network resources.
H
hidden share: A shared folder that is hidden to the user while browsing file
using Network Neighborhood and Windows Explorer.
Home Directory: A private directory located on the network that only a specific
user has access to.
Host Name: The DNS Name assigned to a computer for identification purposes.
I
IP Address: A unique address used to identify a node on the network.
579
Administrator's Guide
K
KiXtart: A logon script processor and scripting language developed by Ruud van
Velsen of Microsoft Benelux
L
logon script: A batch (.BAT) or command (.CMD) file used to configure the users
working environment when they log on to the network.
M
MAC Address: A hardware address that is built in to the network adapter.
Master Domain: The domain in a Single Master Domain network model that
maintains the user database.
member server: A server contained on the network that is not considered a
domain controller.
MSDE 2000:
N
NETLOGON: A default shared folder, %WinDir%\System32\Repl\Import\Scripts,
used to hold all logon scripts. By default, “Everyone” has read access to
this folder.
O
Operations Master: (ScriptLogic) The Domain Controller that ScriptLogic is
installed to.
OpsMaster service:
P
Patch Management service:
Post-Engine scripts: (ScriptLogic) A customized KiXtart script that is made to
run following ScriptLogic’s logon script.
Pre-Engine scripts: (ScriptLogic) A customized KiXtart script that is made to
run prior to ScriptLogic’s logon script.
R
RAS: Remote Access Service. A service that provides the ability for remote
logons for the purpose of monitoring and administering networks.
RBA:
replication: The process of synchronizing data from one computer to another.
580
Glossary
Resource Domain: A separate domain to it’s Master that allocates its own
network resources. Uses the Master domain to authenticate its users.
role:
Role Based Administration:
root mapping: Maps a network folder or drive (usually a home directory) to a
drive letter on the local machine. The resource is mapped to the root of
the drive letter. Any folders above the mapped resource is not seen by the
user.
S
SAM database: The database that holds a network’s entire user account list.
These user accounts are accessed by the UMD (User Manager for
Domains) applet.
ScriptLogic service:
server: A computer designated to provide shared resources to other computers
on the network.
service: An application that runs in the background and has no interaction with
the desktop. The application is executed before the user logs on and runs
under a system or predefined user account.
service account: An account specifically created to start and stop services.
Generally this is specified as a domain account with Domain Admin
privileges and the right to logon as a service.
share: A network directory that has been shared and provided permissions to
authorized users.
site: A collection of network resources that physically exist in separate locations.
SQL 2000:
Super User/Group:
SuperBrowser: (ScriptLogic) ScriptLogic’s network browser which can be found
by pressing the select button to fill in an entry. It is used to locate a
resource on the network.
system policies: Settings in the registry that are concerned with the current
user and local computer settings. System policies are set using the Group
Policy MMC snap-in (W2k) or Poledit.exe (NT).
T
target:
U
UMD: The shortened name for User Manager for Domains. See Also: User
Manager for Domains.
UNC: The full Windows 2000 name of a networked resource. The syntax for a
UNC is \\servername\sharename.
581
Administrator's Guide
user: The person who is using the workstation to access the network.
User Manager for Domains: An applet used to manage user accounts.
user profile: A file that holds configuration information including desktop
settings, persistent network connections, and user preferences. The user
profile is restored at every logon so the same working environment exists
for the user.
V
validation logic: (ScriptLogic) The definition of rules used to determine whether
a ScriptLogic setting should affect the user that is currently logging on to
the network.
VPN: Virtual Private Network.
582
INDEX
A
Device Lockdown
441
Administrative Audit Reports
177
Display
312
Administrator Activity Report
177
Drive Mappings
318
Alerts
298
Drives
Anti-Spyware
302
Dynamic Variables
Anti-Spyware Activity
177
E
Anti-Spyware Reports
177
Environment
API
550, 551
Assign Script
112
C
Client Deployment
112, 114
552, 555
36
322
F
File Operations
324
File/Registry Permissions
397
Folder Redirection
328
Common Folder Redirection
310
G
Computer Management
478
General
330
Global Definitions
124
Global Desktop Agent
130
Global Exceptions
128
Create Program Shortcuts
Custom Scripting
75
405
D
Desktop Agent
567
Desktop Hardware Inventory Computers Missing for (Days)
177
Desktop Hardware Inventory Detailed
177
Desktop Hardware Inventory Detailed by Component
177
Desktop Hardware Inventory Detailed with Last User
177
Global Options
Assign Script
112
Definitions
124
Desktop Agent
130
Exceptions
128
GPO Deployment
114
Patch Distribution
117
Server Manager
145
Desktop Hardware Inventory Summary
177
Software Management
120
Desktop Patch Status
177
Troubleshooting
132
Desktop Software Inventory
177
Visual
125
Desktop Software Inventory - Total
Installations
177
Global Options
111
Global Software Management
120
583
Administrator's Guide
Global Troubleshooting
132
O
Global Visual
125
Option File
569
GPO Deployment
114
Option Files
128
H
P
Hardware and Software Inventory 177
Patch Deployment
380
Help Desk Chat
Patch Distribution
117
Patch Reports
177
Path
396
Implementing a Poor Man's Proxy 566
Pre/Post Engine Scripts
405
Inactivity
341
Pre-Defined Reports
INI Files
345
477
I
ICMP
452
Installation
Internet
42, 44, 46
347, 566
L
Legacy Applications
306
Legal Notice
350
Limit Concurrent Logons
552
Log File Viewer
355
Logging
352, 355
Administrative Audit Reports
177
Anti-Spyware Reports
177
Hardware and Software
Inventory
177
Patch Reports
177
Profile Reports
177
User Activity Reporting
177
Pre-Defined Reports
177
Pre-Defined Reports
177
Preferences
M
Printers
Manager63, 66, 67, 68, 69, 70, 71, 72, 76, 87
Profile Activity Report
Menu Bar
66
Profile Objects - Alerts Report
Message Boxes
360
Profile Objects - Anti-Spyware
Microsoft Office Settings
363
Report
Microsoft Outlook Data Files
371
Microsoft Outlook Profiles
357
Microsoft Outlook Settings
365
MSI Packages
434
N
Navigation Pane
584
69
72
409
177
177
177
Profile Objects - Application
Launcher Report
177
Profile Objects - Common Folder
Redirection Report
177
Profile Objects - Display Report
177
Profile Objects - Drives Report
177
Profile Objects - Environment
Report
177
Index
Profile Objects - File Operations
Report
177
Profile Objects - Folder Redirection
Report
177
Profile Objects - General Report
177
Profile Objects - Group Policy
Templates Report
177
Profile Objects - Inactivity Report
177
Profile Objects - INI Files Report
177
Profile Objects - Internet Report
177
Profile Objects - Legal Notice
Report
Profile Objects - Logging Report
Profile Objects - Service Packs
Report
177
Profile Objects - Shortcuts Report 177
Profile Objects - Time Sync Report 177
Profile Objects - Windows Firewall
Report
177
Profile Reports
177
Profiles
Alerts
298
Anti-Spyware
302
177
Common Folder Redirection
310
177
Configuring
87
Profile Objects - Mail Profile Report 177
Device Lockdown
441
Profile Objects - Message Boxes
Report
Display
312
Drive Mappings
318
Environment
322
File Operations
324
File/Registry Permissions
397
Folder Redirection
328
General
330
Inactivity
341
INI Files
345
Internet
347
Legacy Applications
306
Legal Notice
350
Logging
352
Message Boxes
360
Microsoft Office Settings
363
Microsoft Outlook Profiles
357
Microsoft Outlook Settings
365
MSI Packages
434
177
Profile Objects - MS Office Report 177
Profile Objects - Outlook Report
177
Profile Objects - Patch
Management Report
177
Profile Objects - Path Report
177
Profile Objects - Permissions
Report
177
Profile Objects - Post-Engine
Scripts Report
177
Profile Objects - Power
Management Report
177
Profile Objects - Pre-Engine Scripts
Report
177
Profile Objects - Printers Report
177
Profile Objects - Registry Report
177
Profile Objects - Remote
Management Report
177
Profile Objects - Security Policies
Report
177
585
Administrator's Guide
Patch Deployment
380
Security Policies
Path
396
Server Manager145, 150, 159, 160, 163, 166
Pre/Post Engine Scripts
405
Service Pack Deployment
427
Printers
409
Shortcuts
430
Registry
412
SLBYPASS
569
Remote Management
416
SLNOCSD
569
Security Policies
425
SLNOGUI
569
Service Pack Deployment
427
Status Bar
Shortcuts
430
T
Time Sync
440
Technical Support
Using
81
Windows Firewall
Profiles
449
81
Profiles Summary
177
Time Synchronization
Toolbar
Troubleshooting
Registration
59
70
3
440
67
574, 576
U
USB/Port Security
R
425
441
User Activity - Machine User Usage
Report
177
Registry
412
Remote Management
421
User Activity Per Computer Report 177
Remote Management Client
457
User Activity Report
177
User Activity Reporting
177
User Activity - User Machine Usage
Remote Control457, 462, 466, 468, 475, 477, 478,
490, 492, 513, 518, 521, 531,177
543, 544
Report
Report
Pre-Defined
177
V
Scheduling
174
View Pane
Resource Browser
78
68
W
Role Activity Report
177
What is a Profile?
81
Root Mapping Home Directories
555
Windows Firewall
449, 452
S
Scheduled Reports
586
174