Audit Utility DSReport

advertisement
Novell Audit Utility - DSReport
In order to accurately assess all Novell products installed in a customer environment there are a number of
tools which can be used to conduct this audit. Some tools are better suited to gathering information than
other tools. DSReport can extract any information from NDS, given that the operator has sufficient rights in
NDS to query the objects. NDIR is required to determine the date that a directory on a volume was last
accessed. NWAdmin is used to determine Licenses installed in the NDS Organisational Units.
NetWare
Novell licenses are based on a combination of active users and active printers or print servers. Most sites
run with one print queue per printer. It is difficult to determine which printers are active since there is no
property which reflects the last date a printer was used. Since printers use queues for storing files before
they are actually printed, the queue directory will indicate the last time the directory was accessed – a file
was printed. By analysing the Print Queue object and identifying the queue directory, active printers can be
determined.
ZENworks
If the customer has installed ZENworks then it will be necessary to count the number of active users in the
network. Active users does not include printers as is the case for NetWare licenses.
NDS for NT and Corporate Edition
NDS for NT and Corporate Edition are typically licensed on a Managed User basis – that is the user hasn
an entry in the NT Domain or has a Unix (Solaris) or a Linux Profile. These are properties are defined in
the User Object as IWS:Domain Membership for NT Domain users, UNIX:UID is used for Unix and
Linux. If one of these properties has a value, then this indicates the user is consuming a license of NDS
Corporate Edition.
BorderManager
If the customer has BorderManager, it may involve a Server License and Client licenses or it may be on a
Node License Basis. If a License has been installed, it will appear as an object in the NDS and NW Admin
has a Novell License Reporting option under the Tools Menu selection. (License objects are typically
stored in the same Organisation Unit as the Server they are installed on.) If Nodal licensing is used, then
the Active User count (without printers) is the measure of licenses. (BorderManager VPN does not update
the date last logged in property of the user object, so users who only use VPN will have to be identified and
counted as active users.)
ManageWise and ZENworks
If customers have ManageWise and ZENworks, ManageWise is measured on the number of NetWare and
NT servers running ManageWise agents and the total number of installed ManageWise consoles.
View|All|NetWare Servers and |NT Servers, will indicate how many servers have agents running.
If ManageWise is used, by not ZENworks, then the total number of workstation objects and printer objects
is the measure of licenses.
GroupWise
GroupWise is based on the number of Mailboxes in use. This can often be much higher than the active
users on a network due to alternate mailboxes, eg sales@xyz.com, corporate governances requiring that
email must be retained for a certain number of years after a user has left. Use NWAdmin, with GroupWise
administration snap-ins installed. Go to Tools| GroupWise View|. Select GroupWise System, <Right
Mouseclick> and choose Information. This will display the User Count – the total number of users of the
GroupWise System.
Running the DSReport Utility
The DSReport Utility can be used to extract NDS information to a CSV file, which may then be
manipulated with MS Excel. These reports will need to be run for each NDS tree in a customer network.
DSReport requires Admin access to the tree in order to get access to all attributes of the User Objects,
Printer objects, Print Queue objects.
Setting Context in DSReport Searches
Run DS Report and select the Context to start the query from. It may be that in a very large tree, you want
to break the information gathering up into a number of geographical areas. Searching can take some time
depending on replica placement in the network. The search will run fastest if the user has access to all
replicas, locally.
Selecting Object Type in DSReport
DSReport highlights all the base and extended object classes in the middle window –
Having selected an object type in the left side list, the properties of that object will be displayed in the right
side list. Highlight which properties you wish to report on. In order to make multiple property selections,
hold the <CTRL> key while clicking one each property.
Selecting Report Output format
The report output may be in a CSV (Comma-Separated-Variable), TSV (Tab-Separated Variable), Excel
Spreadsheet Format or Text Format. Select which option you prefer. Press the <RUN> button in order to
start your query.
Output Results
It is possible to check that there were results from a query by looking at the Output Screen. Once you are
happy with the results the data can be saved from the Multi-Object Report window.
Saving Data
After the extract has completed, control will be returned to DSReport and you may save the data to file.
Data is saved based on the Object type you queried.
User Object Data
A query of user objects will return all users in the selected contexts and sub-contexts.
Select the following properties of the user object
 CN – Common Name
 Last Login Time– Date the user last logged in
 Full Name – optional and may not always have data
 OU – optional and helpful to identify users
After extracting the data, it is preferable to sort the data based on the Date Last Logged In field.
There are 4 totals required for Novell Audit purposes:
1. Total number of Users
Total Users
This is the total number of rows in the extracted data
2.
Users who have never logged in
Never Logged In
This is the total number of rows with no entry in the Date Last Logged in field
3.
Users who have not logged in in 60 Days
Inactive Users
This is the total number of rows where the Date Last logged in is greater than 60 days from the date the
report was extracted
4.
Users who have logged in in the last 60 Days
Active Users
This is the total number of rows where the Date Last logged in is less than or equal to 60 days from the
date the report was extracted
All these fields need to be recorded on the Audit Finding Sheets. The most important group of users are the
Active Users. Scan the data in the Active Users list specifically looking for Administrative User-Ids,
Duplicates, Test User-Ids and shiftworkers. Please refer to the Audit Documentation for information
relating to these different User-Ids and where to record the information.
Printer and Print Server Object Data
The Audit Worksheets ask that Printers and Print Server numbers be recorded. The higher of Printers or
Print Servers is used to determine the Total MLA Connections. Because printers and Printservers are not
always removed from the tree when they are decommissioned, there will often be many more printers
defined than there are printed in operation. The following procedures will help identify these inactive
devices.
Printer Objects
Select the following properties:
 CN=Common Name
 OU=the Context the printer is defined in
Printer name as defined in NDS
Helps to identify the location of the printer
This information should be recorded on the Audit Worksheet for each tree.
Print Server Objects
Select the following properties:
 CN=Common Name
 OU=the Context the printerserver is defined in
Printerserver name as defined in NDS
Helps identify the location of the printserver
This number must be recorded on the Audit Worksheet for each NDS Tree.
Excessive numbers of Printers – What to do…
If there are excessive numbers of Printers or PrintServers, the following information may be gathered to
help assess how many printers are active – that is those printers which have been used in the last 60 days.
PrintQueue Objects
Most printers connected to NetWare networks use Print Queues for spooling of jobs prior to printing.
Instead of printing directly to a printer, as is the case with a printer connected to a workstation’s serial or
parallel ports, the workstation stores the print job in a queue on the server. When the printer is ready, it will
print the printjob from the file stored on the server. By examining the dates in the Queue directory, it is
possible to determine the last time a print queue was used.
Note: This is a fairly imprecise science since there can be more than one printer using a print queue and
there can be more than one print queue used by a printer. If you divide the number of Print Queues by the
number of printers One can make an assumption that this is the average number of print queue per printer.
By using the following procedure, you will be able to determine how many printers to reduce the count by
in order to come up with the Total MLA Connections.
Extract the following properties of the Print Queue object
 OU
Identifies printer location in NDS
 CN
Print Queue Name
 Device
Multi-valued field listing all printer on this queue
 Queue Directory
Directory on a NetWare Volume for this queue
 Volume
Server and Volume name to query
Having identified this information, it is best to sort the data by Volume and Queue Directory. It is now
necessary to map a drive to the server and volume in order to query the dates. Queues are typically stored in
the Queues directory off the root of the volume.
Change Directories to the directory the queues are stored in.
CD QUEUES as an example
NDIR *.QDR /UP BEF 04/20/2000 /c /s > C:INACT-PQ.TXT will output all queue directories which
have not been updated (used) since 5th April 2000, and will store the results in a file called INACTPQ.TXT on the C Drive.
NDIR *.QDR /UP AFT 03/20/2000 /c /s > C:ACTIVE-PQ.TXT will output all queue directories which
have been updated (used) since 5th April 2000, and will store the results in a file called ACTIVE-PQ.TXT
on the C Drive.
This process needs to be repeated for each server listed in the Volume column of the Print Queue data
extract.
It is then necessary to check the entries in the INACT-PQ.TXT file against those listed in the Print Queue
list to determine how many print queues are inactive. This figure should then be divided by the average
number of print queues per printer, to determine how many printers to reduce the count by.
License Objects
Various Novell packages use the Novell Licensing Services to record the licenses in use. Licenses are
usually recorded in the same Organisation Unit as the server they are installed on. NWAdmin has a utility
under Tools|Novell Licensing Services|Novell License Report, which allows you to extract the license
objects in an NDS tree and save them to file or print the list out.
Note: you will have to do this from an administrator’s workstation which has the necessary snap-ins to
NWAdmin for Novell Licensing Services.
Novell BorderManager is one such product which uses Licensing Services to define the Servers which have
BorderManager components loaded.
This is not an area which is covered in the Novell MLA Audit process – it is here to help customers
determine what Novell Products they have installed in their environment and hence what they should be
licensed to use.
Disclaimer
This document has been prepared by Novell Australia, Enterprise Business Unit to assist MLA customers
to determine what is the correct number of licenses they should have installed.
Comments on these procedures, may be made to Ross Ford, Rford@novell.com or mobile +61-417-450585
Download