Friday, June 20, 2008

Introducing User Profile Wizard 3.0 - Part III

Running additional programs as an Administrator

One of the options that was introduced with User Profile Wizard 2.5 was to be able to run a "follow-on" file - a script or an .exe - in the security context of the local administrator account specified by the /LOCALADMIN command line parameter. This has proved very useful for customers who need to carry out additional tasks using admin permissions. With User Profile Wizard 3.0 we have beefed up this functionality.

To be honest, we didn't have much choice. Because 3.0 supports "push" migrations to remote machines, we had to find a way of running any script or executable someone specifies remotely on that machine. Not only that, but we had to make sure Vista's UAC (User Account Control) technology didn't get in the way. The result is that User Profile Wizard 3.0 can run an application interactively on a user's desktop without the user being prompted to "elevate" the process.

To show how this works, lets try and run something that requires Administrator permissions: Vista's Windows Firewall Settings. Normally, of course, you would never want to do this as part of your migration! However, it is as good an example as any. If you run FirewallSettings.exe (and you are not the administrator) you will see this:

Or, if you are not an administrator at all, this:

If we are running an additional process as part of a workstation migration we definitely do not want the user to be bothered these UAC prompts.

To get User Profile Wizard 3.0 to run a follow-on file we need to give it some information: the Administrator credentials with an encrypted password, the path of the file we want to run, and a security hash of the file to guarantee that only that file gets run - unchanged - and no other file. Details on how to create the hash are in the User Guide. We just need to add this information to the profwiz.config file:

Note that in this example these are the only settings that are required: we don't have to migrate a profile or join a domain to get profwiz.exe to run the executable for us - although normally we would be running a follow-on file as part of a migration process. In fact, to stop profwiz trying to join the machine to a domain we set the "NoJoin" parameter here to "True."

The other parameter to note is the "NoGUI" parameter under "Advanced Settings." Generally, if you just type "Profwiz.exe" at the command line, User Profile Wizard will start up in GUI mode. Here we don't want that to happen: we want profwiz to just process the config file: "NoGUI" makes that happen. Now if you type "Profwiz.exe" at the command line, or even just double-click the Profwiz icon, what you get is "Windows Firewall Settings" - and no UAC prompts. You get this even if you are just a regular user with no administrator credentials at all: the credentials are in file.

Want to run the file on a remote machine? No problem...

profwiz /COMPUTER machinename

Of course, in this case FirewallSettings.exe is Vista-specific application, so machinename needs to be Vista machine, but generally this does not need to be the case.

The example here has been a little bit contrived because normally you wouldn't just want to run a file - you would want to migrate a machine. However, I hope that you can see the power that User Profile Wizard can give you over your workstations.

You can check out User Profile Wizard 3.0 for yourself here.

Introducing User Profile Wizard 3.0 - Part II

The profwiz.config file

User Profile Wizard is a very powerful desktop migration tool - and we have plans to make it even more powerful. However, the danger is that the more functionality you add to a tool the more difficult it gets to use. Say I want to my migrate my profile to my new domain account, join my workstation to the domain, and create the computer account in the "Workstations" OU. A typical command line would look like this:

Now, OK, if you are using the Deployment Kit to generate a migration script this complexity will be hidden from you. But if you are using User Profile Wizard to create your own migration process, or if you want to modify the script that the Deployment Kit created, simplifying the command line can only be a good thing.

If we look at the command line above, we can see that most of the parameters will stay the same for every machine that we migrate. The domain name, the administrator credentials, the log file, and in all likelihood the OU as well, will be the same each time. Only the user account details will change. User Profile Wizard 3.0 allows you to save the parameters that stay the same in its profwiz.config file so you don't have to enter them on the command line.

profwiz.config is a standard xml file. You can edit it in notepad or any xml editor of your choice. The job of profwiz.config is to provide default parameters for User Profile Wizard to use. Here's a profwiz.config file to provide the parameters needed for the migration above (click to enlarge):

Now the command line to migrate the profile and join the machine to the domain is just:

profwiz /ACCOUNT David /LOCALACCOUNT David

which has got to be easier! Of course, User Profile Wizard 3.0 can migrate machines remotely, so we could use:

profwiz /COMPUTER computer /ACCOUNT domain_account /LOCALACCOUNT accountname

for each computer we want to migrate.

One of the cool things about the profwiz.config file is that it is read by User Profile Wizard when it is running in GUI mode as well as when it is running from the command line. This means that you can pre-populate the fields in the Wizard with the settings you need, like the domain name and the options for disabling the local account or setting the default logon, etc. For the first time, you can add machines to a specific OU using the GUI by specifying the AdsPath in the profwiz.config file. This goes for the free version of the Wizard too. With the Corporate Edition you can even specify the administrator credentials so that the Wizard won't prompt you. It's all about making your migration easier.

You can check out User Profile Wizard 3.0 for yourself here.


Introducing User Profile Wizard 3.0

Push Migrations
So what's new with User Profile Wizard 3.0? The big change is that User Profile Wizard 3.0 enables you to do "push" migrations. What's a push migration? A push migration is where you can send (or "push") the instructions needed to migrate a machine - say from one domain to another - from another machine. In other words, you can migrate the workstations on your network from your desktop.

Up to now User Profile Wizard has only supported "pull" migrations. Typically this means that when a user logs on to their machine, they pull down a script from the network which migrates their machine. This methodology has proved to be extremely effective over hundreds of thousands of migrations, and will probably remain the dominant means of migrating workstations - especially for large scale migrations. In some organizations however, a push migration may be felt to be more appropriate: if that is the case, User Profile Wizard 3.0 can certainly help.

Under the surface there have been some major architectural changes to User Profile Wizard 3.0 to allow for push migrations. We've kept the familiar Windows Wizard interface for User Profile Wizard 3.0 the same, however. What you do get is a new option:

When you click next, the Wizard will attempt to connect to the remote machine, prompting you for a username and password as required. If the remote machine is already joined to a domain this should be fairly painless. If however the remote machine happens to be a Vista workstation in a workgroup you may have to do some configuration before you start: workgroup Vista machines allow only the local Administrator account to access the machine remotely - an account that is disabled by default!

Once you have specified the domain and username of the account you want to use an existing user profile, the Wizard will show you a list of the profiles - profiles that are on the remote machine, of course.

To migrate a profile you simply need to select it and click next. If the Wizard needs to join the remote machine to a new domain you will be prompted whether you want to restart the machine now. If you say "Yes" the remote machine will reboot in two minutes: anyone logged onto the machine will get a warning, but will not be able to prevent the reboot.

Console Support

Being able to just connect to another machine on the network and migrate it using the GUI on your desktop is pretty cool, but what if you don't want to have to use the GUI every time? Can you do push migrations using the command line and maybe script the whole process? Well of course you can! User Profile Wizard 3.0 has the additional command line parameter /COMPUTER to allow you to specify the remote computer you want to target.

The screenshot above also shows another new feature of User Profile Wizard 3.0: console support. The Wizard is a Windows application, but it can now also run fully in a console window - if that's the way you want to work.

With User Profile Wizard 3.0 we've worked hard to maintain the consistency and reliability of User Profile Wizard 2.5 while adding new features to make administering workstation migrations easier - especially when it come to Windows Vista.

You can check out User Profile Wizard 3.0 for yourself here.

Labels: , ,

Thursday, June 19, 2008

Joining a Samba Domain

Generally there is not much crossover between this blog and my Journey into Linux. However, if you are interested in what a Windows workstation gets up to when it joins a domain, you might what to check this post.