NetControl
™
Administrator’s Guide
NC-AG-0708-310
Copyright © 2008 NetPro Computing, Inc. Disclaimer NetPro Computing, Inc. (NetPro) makes no representations or warranties, either expressed or implied, with respect to the adequacy of this documentation or the programs which it describes in regard to fitness for any particular purpose or with respect to its adequacy to produce any particular result. The computer programs and documentation are sold “as is”, and the entire risk as to quality and performance is with the buyer. In no event shall NetPro be liable for special, direct, indirect or consequential damages resulting from any defect in the programs, documentation or software. Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential damages, in which case the above limitations and exclusions may not apply to you.
Proprietary Rights NetPro has prepared this document for use by NetPro personnel, agents, licensees and customers. The information contained in this document is the property of NetPro. You may not reproduce, translate, or transmit it in any form or by any means, electronically or mechanically, without prior written permission from NetPro.
Disclaimer of Liability NetPro makes no representation or warranties of any kind, either expressed or implied, with respect to the contents of this manual, including but not limited to typographical errors and technical completeness, NetPro reserves the right to revise this publication and to make changes in its content without obligation to notify any person of such revision or changes.
Trademarks NetPro Computing and NetPro are registered trademarks and NetControl, NetControl for Exchange, AccessManager, AccessReporter for Windows, Business Insight, GPOADmin, LogADmin, ReportADmin for ACS and the NetPro logo are trademarks of NetPro Computing, Inc. Microsoft, Windows NT, Windows 2000, Windows Server 2003, Windows Server 2008, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation. Other product names mentioned in this manual may be trademarked: they are used for identification purposes only.
Document Revision History ES-AG-1007-200
October 2007
Enterprise Server 2.0
ES-AG-1107-250
November 2007
Enterprise Server 2.5
ES-AG-1207-260
December 2007
Enterprise Server 2.6
ES-AG-0408-260-A
April 2008
Enterprise Server 2.6 with Business Insight 3.0
ES-AG-0608-260-B
June 2008
Enterprise Server 2.6
NC-AG-0708-310
July 2008
NetControl 3.1
NetPro Computing, Inc. Corporate Office 4747 N. 22nd Street, Suite 400 Phoenix, Arizona 85016 USA Telephone FAX Email Internet
602 346 3600 602 346 3610
[email protected] http://www.netpro.com Sales
USA and Canada International
800 998 5090 +1 602 346 3630
Worldwide Technical Support USA USA (Toll Free) Germany UK France Australia
1 602 346 3670 1 866 9 NETPRO 0800 180 2577 0 0800 047 0197 0800 917881 1 800 773 850
Email
[email protected]
NetControl
i
Table of Contents Chapter 1: Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 System Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 What’s in this Guide - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2 How to Get Additional Help - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4
Chapter 2: NetControl Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 Connecting to the NetControl Console - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 NetControl Console Components- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8
Chapter 3: Application Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -15 Considerations for Implementing Application Security - - - - - - - - - - - - - - - - - - - - - - - - - 15 Implementing Application Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16
Chapter 4: Agents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -21 Agents Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22 Considerations for Deploying Agents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 24 Deploying Agents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 24
Chapter 5: Agent Groups - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -33 Agent Groups Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 34 Creating Agent Groups - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 36
Chapter 6: Computer Lists - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -41 Computer Lists Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 42 Building Computer Lists - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44
Chapter 7: Schedules - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -51 Schedules Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52 Defining Schedules - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 54
Chapter 8: Collectors - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -57 Collectors Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 58 Defining a Collector - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 59
Chapter 9: Active Directory Management Console - - - - - - - - - - - - - - - - - - -63 Active Directory Management Console Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Creating a Custom View - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Establishing a Connection - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Creating Provisioning Rules - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
64 67 71 73
Table of Contents
ii
NetControl
Configuring Workflow for an ADMC Action - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 85 Modifying Active Directory When Workflow is Applied- - - - - - - - - - - - - - - - - - - - - - - - - - 87
Chapter 10: Workflow - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89 Workflow Editor - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90 Workflow Pane- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 101 Managing Workflow Requests - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 104 Reviewing and/or Approving Workflow Requests- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 106 Using Microsoft Outlook to View Workflow Items- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 107
Chapter 11: Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 109 Reports Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 110 Generating NetControl Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 111
Appendix A: NetPro Applications Using NetControl Components - - - - - - 121 Appendix B: Email Setup - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 123 Configuration Page - NetControl Email Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 124 Setting up Email- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 125
Appendix C: Active Directory Users and Computers (ADUC) Extension - 127 Usage Notes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Using the ADUC Extension - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Removing the ADUC Extension - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Re-installing the ADUC Extension - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
127 128 128 128
Appendix D: NetControl Troubleshooting - - - - - - - - - - - - - - - - - - - - - - - - 129 NetControl Console - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 129 ADMC Functionality - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 131
Table of Contents
NetControl
1
Chapter 1: Introduction NetControl (formerly known as Enterprise Server) provides a centralized interface to configure and manage individual services and provides licensed NetPro applications access to shared services and data. In addition, NetControl’s Active Directory Management Console (ADMC), extends Microsoft’s Active Directory Users and Computers (ADUC) interface to optimize Active Directory management. With ADMC, you can enforce approval processes for tighter security, while providing compliance for regulations. You can also add business logic to automate common Active Directory tasks, giving you greater control and scalability. This document describes the base NetControl console (including ADMC), its components and the shared services that are available. Please refer to the documentation of each individual application for information on the component’s that are made available through the console once the application is deployed (e.g, workflow, collectors, etc.). This chapter provides the following information: •
System Overview
•
What’s in this Guide
•
How to Get Additional Help
System Overview The NetControl platform consists of three main components: • NetControl Console • NetControl Service • NetControl Agent The NetControl Console provides the user interface to all functionality of the NetControl Service, the ADMC and licensed NetPro applications that build upon the NetControl platform. Through the console, you can interact with and retrieve information from each deployed application. The NetControl Service is one of the core components of the application. Your ability to gain access to application data or configure the application depends on the communication between the console and the NetControl Service. Since the service is your 'gateway' into the application, the security model of the application is housed here.
Introduction
2
NetControl
As it relates to the application, NetControl Agents do all of the workload processing. They communicate directly with the SQL Database on a configured interval to receive a list of actions that need to be executed upon. Each NetPro application that builds upon the NetControl platform will define the work that needs to be processed on a scheduled basis.
What’s in this Guide This manual assumes you have a working knowledge of Active Directory and consists of the following chapters: Introduction This chapter introduces NetControl and provides a system overview of the NetControl platform. It also describes the contents of this manual and information on obtaining additional assistance from NetPro. NetControl Client Overview Chapter 2 introduces the base NetControl console and includes a description of the menu commands, tool bar buttons, navigation pane, explorer view and object list. Application Security Chapter 3 explains how to implement application security to build a secure deployment. Agents Chapter 4 provides a brief description about agents, describes the Agents pane and the New Agent dialog, and provides instructions on how to deploy an agent. Agent Groups Chapter 5 provides a brief description about agent groups, describes the Agent Groups pane and the New Agent Groups dialog, and provides instructions on how to set up an agent group.
Introduction
NetControl
3
Computer Lists Chapter 6 provides a brief description about computer lists, describes the Computer List pane and the New Computer List dialog, and provides instructions on how to build a computer list. Schedules Chapter 7 provides a brief description about schedules, describes the Schedules pane and the New Schedule dialog, and provides instructions on how to set up a schedule. Collectors Chapter 8 provides a brief description of collectors and the NetControl components that are part of setting up a collector. Please note that the Collector button is available in the navigation pane when NetControl is installed. However, there must be a NetPro application deployed that uses the collectors before data collections can be configured/viewed. Active Directory Management Console Chapter 9 describes the Active Directory Management Console (ADMC), which is part of the base NetControl platform. It describes the ADMC pane and provides instruction on how to perform the various tasks that can be performed from this pane to administer directory information. Workflow Chapter 10 explains how to use the Workflow Editor to set up actions for the workflow queue where a review and approval is required before the action can be committed and deployed in your environment. It also explains the workflow process and how to review/ approve requests using the Workflow pane or Microsoft Outlook. Reports Chapter 11 provides information on the Reports pane and the NetControl reports. It also explains how to run a report using the NetControl console. Appendix A: NetPro Applications Using NetControl Components This appendix provides a table that shows the NetPro applications that can be deployed and the base NetControl components that they use. Appendix B: Email Setup This appendix describes the NetControl Configuration pane where you can set up the email account and SMTP server to be used for email notifications. Appendix C: Active Directory Users and Computers (ADUC) Extension This appendix provides additional information regarding the ADUC extension that is activated when NetControl is installed. Appendix, D: NetControl Troubleshooting This appendix covers some of the known issues with NetControl and provides troubleshooting tips for resolving these issues if they are encountered. Index The Index provides an alphabetical subject listing for the contents of this manual.
Introduction
4
NetControl
How to Get Additional Help NetPro offers a variety of ways to get additional help: • My.netpro.com enables you to perform many tasks that you may have once conducted with the help of a NetPro representative. • 24x7 Technical Support is available through an annual Software Maintenance Contract. • NetPro Professional Services offers a range of professional services to help you through every stage of your technology lifecycle. For more information on using NetControl’s Active Directory Management Console (ADMC), please visit http://www.turbochargedad.com.
My.netpro.com NetPro’s customer portal site enables you to perform many tasks that you may have once conducted with the help of a NetPro representative. Now, you can do them all on the customer section of our website -- https://www.netpro.com. My.netpro.com was designed to provide you with the best possible service and deliver it conveniently and quickly -- when you need it. Here’s what you can do on my.netpro.com: • submit and update support incidents • view your product purchases • view your maintenance purchases • subscribe and/or unsubscribe from NetPro’s news list(s) • request product information and literature • request product evaluation software • search our technical support knowledge base • sign up to participate in the NetPro Beta Program https://my.netpro.com is a completely secure site and you will need login credentials to access the area each time you visit. On your first visit, you will create the credentials to be used every time you return to the site.
Introduction
NetControl
5
24x7 Live Technical Support NetPro offers industry-leading technical support every business day throughout North America and Europe. NetPro’s qualified support technicians can be reached at the addresses and numbers listed below: NetPro 4747 N. 22nd Street, Suite 400 Phoenix, Arizona (USA) 85016 U.S.: 1 602 346 3670 or Toll Free 1 866 9 NETPRO Germany: 0800 180 2577 UK: 0 0800 047 0197 France: 0800 917881 Australia: 1 800 773 850 FAX: 1 602 346 3610 Email:
[email protected]
Professional Services NetPro service professionals leverage proven methodologies, industry best practices, and more than 30 years of combined Microsoft management experience to help organizations reach their business-critical goals. To help you get the most from our solutions, NetPro Professional Services offers help with: • Deployment: Choose QuickDeploy for a rapid return on investment or CustomDeploy for end-to-end phased delivery of NetPro solutions based on your specific business needs. • Reporting & Analysis: If you’re looking for specific executive, operational, or compliance reports, we’ll deliver business intelligence tailored to your organizational needs. • Optimization: Make sure you’re getting maximum value from NetPro solutions with help for everything from optimizing your current solution to product training. To learn more about NetPro Professional Services, please contact your NetPro sales representative or
[email protected] .
Introduction
NetControl
7
Chapter 2: NetControl Overview NetControl provides a centralized interface for managing Active Directory and provides shared resources to other NetPro applications. The resources available through the NetControl Console include: • Application Security provides component level security for all application components. • Configuration provides options for setting up email and configuring certain NetPro applications. • Agents perform the work defined by licensed NetPro applications that build upon the NetControl platform. • Agent Groups are logical or physical groupings of agents used for distributing workload processing. • Computer Lists are a way to group physical computer resources based on explicit or dynamically generated content. • Schedules are reusable components that define when tasks are to be performed. • Collectors define what data is to be collected from various resources. The collectors available are based on the licensed NetPro applications that build upon the NetControl platform. • Active Directory Management Console (ADMC) extends Microsoft’s Active Directory Users and Computers (ADUC) interface to optimize Active Directory management. • Rules can be defined using the ADMC to add business logic to automate common Active Directory tasks. • Workflow allows you to set certain actions that must adhere to a review and approval workflow process. Workflow is available for actions performed in the ADMC as well as some of other licensed NetPro applications that build upon the NetControl platform. • Reports provide a central location for defining the content and generating reports about the NetControl components and some of the deployed NetPro application. This chapter describes the layout of the base NetControl Console and how to access the shared resources, including the following information: •
Connecting to the NetControl Console
•
NetControl Console Components
NetControl Overview
8
NetControl
Please refer to the documentation for each individual application for information on the additional components that are deployed with each application. To determine the shared components that each licensed NetPro application uses, see Appendix A: NetPro Applications Using NetControl Components on page 121.
Connecting to the NetControl Console From the computer where the NetControl console is installed: 1. Select Start | All Programs | NetPro | NetControl | Console. 2. On the NetPro NetControl Connection dialog box, use the drop-down arrow to select the NetControl server to be used (or from the keyboard, select the down arrow twice).
3. Optionally, select the Remember connection check box to use this server the next time you run NetControl. If selected, the connection dialog is only displayed if the specified NetControl server is not available. NOTE: To disable the Remember Connection setting, use the Help | About menu command to display the About NetPro NetControl dialog and deselect the Remember Connection check box on this dialog. 4. Click the Connect button to connect to the NetControl server.
NetControl Console Components The NetControl console provides the user interface for accessing the shared resources, ADMC and licensed applications that build upon the NetControl platform. The console consists of the following main components, which are pointed out in the illustration below: • Menu Bar – displays the menus for accessing commands. • Tool Bar – provides quick access to commonly used commands. • Explorer View – displays a hierarchy of resource containers (folders) used to organize the resources that can be created and managed. This view is populated based on the button selected in the navigation pane. • Navigation Pane – provides access to the base NetControl resources, ADMC and licensed NetPro applications that use the NetControl platform. The following are the components installed when NetControl is first installed: •
Configuration – provides options for setting up email and configuring certain NetPro applications.
•
Resources – provides a central location for deploying agents, creating and maintaining agent groups, computer lists and schedules.
NetControl Overview
NetControl
9
•
Collectors – provides a central location for defining data collections. The resource containers in this pane are based on the licensed NetPro applications that use data collection. For more information, refer to the individual product documentation.
•
Active Directory - provides access to the ADMC which extends Microsoft’s Active Directory Users and Computers (ADUC) interface to optimize Active Directory management.
•
Workflow – provides a list of workflow items in the workflow queue if there are actions configured to use workflow. Actions performed using the ADMC and some of the other licensed NetPro applications use the workflow feature.
•
Reports – provides a central location for defining and generating reports for the NetControl components. There may also be reports for the other deployed NetPro applications.
• Information Panes – the contents of the right-hand pane depends on the button selected in the navigation pane and the node/container selected in the explorer view. This pane may display the objects available in the selected node/container and supporting details or options for configuring the selected component.
NetControl Overview
10
NetControl
Menu Bar The NetControl console menus follow the same convention as standard Windows menus. That is, commands are grouped under a menu on the menu bar. Some of these commands perform an action immediately; others display an additional dialog or launch a wizard where you select various options or specify additional information. The following sections describe the default commands that are available when you install NetControl. As you deploy NetPro applications, there may be additional commands displayed. Refer to the documentation for each individual application for more information about commands specific to each application.
Action Menu Exit Use the Exit command to close the NetControl console.
Go Menu Configuration Use the Configuration command to open the Configuration pane to set up email and configure each of the deployed NetPro applications. Resources Use the Resources command to open the Resources pane to deploy agents and create, modify or view agent groups, computer lists and schedules. Collectors Use the Collectors command to open the Collectors pane to define the data to be collected. The resource containers available are based on the NetPro applications that use data collection. Active Directory Use the Active Directory command to open the ADMC to administer directory information. Workflow Use the Workflow command to open the Workflow pane to review/track the items in the workflow queue. Reports Use the Reports command to open the Reports pane to define the content and generate reports.
View Menu Refresh (F5) Use the Refresh command to redisplay the contents on the window.
NetControl Overview
NetControl
11
Help Menu Contents Use the Contents command to display the Contents pane and initial page of the NetControl online help. Search Use the Search command to display the Search pane and initial page of the NetControl online help. Index Use the Index command to display the Index pane and initial page of the NetControl online help. About Use the About command to display general release information about the NetControl Service, NetControl Console and licensed NetPro products.
Tool Bar The tool bar buttons provide quick access to commonly used commands.
Use the Refresh button to redisplay the contents on the window.
Use the Help button to display the online help for the application.
Use the New button to create a new object (e.g., agent group, computer list, schedule) or a new folder for organizing objects. The icon changes depending on the resource container selected in the explorer view.
Use the Permissions button to define the delegated permissions for the resource container selected in the explorer view or the object selected in the object list. Selecting this button will display the Permissions dialog showing the delegated permissions for the selected application component. Depending on the object selected and the NetPro application deployed, a Workflow button may also be displayed on the Permissions dialog which allows you to set up workflow for the selected item.
Use the Delete button to remove the object selected in the object list.
Use the Properties button to display the properties for the object selected in the object list. From this dialog, you can modify the properties previously defined for the selected object.
NetControl Overview
12
NetControl
Use the Start Agent button to start the agent selected in the Agents page. This button is only available on the Agents page of the Resources pane.
Use the Stop Agent button to stop the agent selected in the Agents page. This button is only available on the Agents page of the Resources pane.
Use the Restart Agent button to stop and start the selected agent. This button is only available on the Agents page of the Resources pane.
Explorer View The explorer view is located in the left pane and is populated based on the button selected in the navigation pane. From this pane, you can create objects and organize these objects in resource containers. By right-clicking a folder in the explorer view, you can perform the following tasks: New |
Use the New | command to create a new object (e.g., computer list, agent group, schedule). Selecting this command will display the appropriate dialog allowing you to define the new object. The types available depend on the NetPro application(s) deployed to use the NetControl console. Not available on the Reports pane. New | Folder Use the New | Folder command to create a new folder in the explorer view to organize the objects being created. Selecting this command will add a new folder under the currently selected container in the explorer view. Not available on the Reports pane. Run From the Reports pane, use the Run command to define a new report. Selecting this command will display the appropriate report dialog allowing you to define the contents of the report, specify the output options, specify the data source and schedule execution of the report. This command is only available on the Reports pane. Delete Use the Delete command to remove a user-defined container from the explorer view and any child folders and objects created in the selected container. This command is only available for user-defined containers. Not available on the Reports pane. NOTE: You can NOT delete the default parent containers initially displayed when the product is installed. If you select one of these parent containers and select the Delete command, all of the folders or objects that have been added to the selected parent container will be deleted.
NetControl Overview
NetControl
13
Rename Use the Rename command to change the name of the selected user-defined container. This command is only available for user-defined containers. Not available on the Reports pane. Permissions Use the Permissions command to display the delegated permissions for the selected container. Selecting this command will display the Permissions dialog allowing you to view, add or remove permissions. For more details on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Depending on the object selected and the NetPro application deployed, a Workflow button may also be displayed on the Permissions dialog which allows you to set up workflow for the selected item. See Chapter 8: Workflow on page 53. Refresh Use the Refresh command to retrieve and display the latest information.
Navigation Pane The navigation pane is located in the lower left pane of the console and contains buttons that allow you to access the base NetControl components. As you deploy and license NetPro applications, additional buttons may be displayed. Selecting a button in this pane will populate the resource containers in the explorer view used to organize the objects being created and managed through the NetControl console.
Selecting the arrows at the bottom of the navigation pane displays the following commands allowing you to control the buttons displayed in the navigation pane: Show More Buttons Use the Show More Buttons command to display buttons that have been previously removed from the bottom of the navigation pane using the Show Fewer Buttons command.
NetControl Overview
14
NetControl
Show Fewer Buttons Use the Show Fewer Buttons command to remove the bottom-most button from the navigation pane. Navigation Pane Options Use the Navigation Pane Options command to display the Navigation Pane Options dialog where you can select (check) the buttons to be displayed and change the order of the buttons displayed on the navigation pane. Add or Remove Buttons Use the Add or Remove Buttons command to select the buttons to be hidden/displayed in the navigation pane. You can also resize the navigation pane to hide the bottom-most button(s). To resize this pane, place your cursor at the top of the pane until your cursor is replaced with a double arrow. Hold down the right mouse button and drag the arrow down the screen. As buttons are hidden from the screen they are replaced with an icon which can be selected to open the corresponding NetControl page.
Information Panes The contents of the information panes, located in the right-hand pane depend on the button selected in the navigation pane and the node/container selected in the explorer view. This pane may display the objects available in the selected node/container and supporting details or options for configuring the selected component. The first time the console is launched, the NetControl Email pane will be displayed allowing you to configure the NetControl email settings. However, each subsequent time the console is launched, the pane last displayed when the console was closed will be displayed. Please refer to the individual chapters in this guide for a description of the information panes available and the tasks that can be performed from each.
NetControl Overview
NetConrol
15
Chapter 3: Application Security Delegation of administration allows you to transfer the responsibility for administrative tasks to a lower-level administrator. Application security provides component level security for all application components. By default, users in the Domain Admins group are granted Full Control to NetControl, while users in the Everyone group are granted Read All Properties. These default permissions ensure that only privileged users have the rights to invoke change in NetControl. This chapter provides the following information for building a secure NetControl deployment: •
Considerations for Implementing Application Security
•
Implementing Application Security
Considerations for Implementing Application Security While every task can be delegated at a granular level, consider the following before changing any security settings: • The internal workings of NetControl’s security model work the same as Active Directory and NTFS security. • Subcontainers can be created in all nodes. These containers serve a dual purpose. Primarily, containers are used to organize content, but they can also be used as a boundary or scope of management for a delegated user. For example, allowing user Domain\Sally to create Security Templates in a single container.
Application Security
16
NetConrol
Implementing Application Security To implement application security: 1. Select a resource container from the explorer view (for example, Agents or Computer Lists) or an object from the object list. 2. Select the Permissions command from the tool bar ( ) or the right-click menu. This will display the Permissions dialog for the selected application component. 3. By default, all application components have the following permissions defined: • Allow | Everyone | Read All Properties | This object and all child objects • Allow | Domain Admins | Full Control | This object and all child objects 4. To add additional permissions select the Add button, which will display the New Permission Entry dialog. 5. On the New Permission Entry dialog, select the permissions to be allowed and/or denied to secure the selected application component. • Account – use the browse button to locate and select a user or group account to be delegated these permissions. • Apply to – select the appropriate option to specify what object types are going to receive the selected permissions (for example, this object only, this object and child objects, or child objects only). • Permissions – select the Allow or Deny check boxes for the permissions to be delegated. • Apply these permissions to immediate objects and/or containers only – optionally select this check box to define the level of effectiveness the selected rights will assume. • Expires on – optionally select this check box and select the date these permissions are to expire. 6. After adding the new permissions entry, use the OK button to save your settings. The new permission will be displayed on the Permissions dialog.
Application Security
NetConrol
17
Permissions Dialog The Permissions dialog is displayed when the Permissions tool bar button or right-click menu command is selected for an application component. Use this dialog to view and/or modify the permissions to be delegated to the selected application component. By default, users in the Domain Admins group are granted Full Control to NetControl, while users in the Everyone group are granted Read All Properties. The default permissions are displayed in the Permissions dialog.
Permissions list box This list box displays the permissions to be applied to the selected application component. It includes the following information for each permission: Type This column displays the type of permission being delegated: Allow or Deny Account This column displays the name of the user or group account to be delegated each permission listed. Permission This column displays the name of the permission being delegated. Apply To This column displays the objects to which each permission applies: this object only, this object and child objects or child objects only. Inherited From For child objects, this column displays the parent object from which the permissions where inherited. Expires On If applicable, this column displays the date when the permissions will expire.
Application Security
18
NetConrol
Add Use the Add button to add permissions to the list box. Selecting this button will display the New Permission Entry dialog allowing you to select the permission(s) to be included. This dialog also allows you to specify the user or group account, the object types that are to receive the permission(s), the level of effectiveness the rights will assume, and if applicable an expiration date. Remove After permissions have been added and are displayed in the Permissions list box, use the Remove button to remove a permission entry from the list box. Select the permission entry to be removed and select the Remove button.
New Permission Entry Dialog The New Permissions Entry dialog is displayed when the Add button is selected on the Permissions dialog when assigning application security. From this dialog, specify the access permissions to be applied to the selected component (for example, deny access for deploying agents).
Account Use the browse button to specify a user or group account to be granted or denied access permissions to the selected application component. Selecting the browse button will display the native Select User or Group dialog allowing you to locate and select a user or group account.
Application Security
NetConrol
19
Apply to This drop-down text box allows you to specify the object types that are to be granted the selected permissions. By default, the permissions selected will be applied to this object and all child objects; however, you can use the drop-down menu to change this setting. Valid entries are: •
This object only
•
This object and all child objects (default)
•
Child objects only
Permissions list box This list box displays the permissions that can be granted or denied. From this list box, select the appropriate access permissions: •
Full Control
•
Read All Properties
•
Write All Properties
•
Modify Permissions
•
Delete
•
Delete Subtree
•
Create All Child Objects
•
Delete All Child Objects
•
Create Folders
•
Delete Folders
•
Create (for example, Schedule, Agent Group)
•
Delete (for example, Computer List, Agent Group)
Clear Use the Clear button to clear any check marks from the Permissions list box. Apply these permissions to immediate objects and/or containers only Select this check box to apply the permissions to the selected object and/or container only. That is, if this option is checked, the permissions will not apply to any subordinate objects or containers. Expires on To create a temporary (expiring) permission assignment, select this check box and use the arrow to view a calendar grid to select the date when these permissions are to expire.
Application Security
NetControl
21
Chapter 4: Agents Using the Resources pane in the NetControl console, you can deploy and maintain agents. NetControl agents distribute the workload processing as defined by each individual NetPro application. Agents communicate directly with the SQL Server database on a configured interval to receive a list of actions that need to be executed upon. Refer to the documentation for each deployed NetPro application to determine if it uses NetControl agents. This chapter provides the following information and procedures: •
Agents Pane
•
Considerations for Deploying Agents
•
Deploying Agents
Agents
22
NetControl
Agents Pane The Agents pane is displayed when Agents is selected in the explorer view of the Resources pane. From this pane you can deploy agents and view the status of deployed agents.
Explorer View The explorer view displays a hierarchy of folders created to organize your agents. Agents List The agents list displays a list of deployed agents for the container selected in the explorer view. The following information is displayed for each agent: •
Server – the name of the server where an agent was deployed
•
Comment – the comment or descriptive text entered when the agent was deployed
•
Status – the current status of the agent (for example, Offline, Copying File, Installing, Updating, Running)
•
Version - the current version of each agent deployed
Right-click an object in the agents list to perform tasks related to the selected object. Move to Use the Move to command to move the selected agent to a different folder in the explorer view. Selecting this command will display the Select a Folder dialog allowing you to select the folder to which the agent is to be moved.
Agents
NetControl
23
Delete Use the Delete command to remove the selected agent from the agents list. Permissions Use the Permissions command to display the delegated permissions for the selected agent. Selecting this command will display the Permissions dialog allowing you to view, add or remove permissions. For more details on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Properties Use the Properties command to display the properties set for the selected agent. Selecting this command will display the Properties dialog allowing you to view or modify the security permissions assigned to the selected agent. Details View The details view displays information regarding the jobs (for example, data collection, report) that are assigned to the agent selected in the object list. The following information is displayed: •
Name – the name assigned to the job when it was created
•
Comment – the comment or descriptive text entered when the job was defined
•
Type – the type of job run on the selected agent
•
Run Date – the date the associated job ran
•
Elapsed Time – the amount of time it took to run the associated job
•
Status – the current status of the job
Right-clicking in the agents list pane (not an object in the list) or details view pane will display the following commands allowing you to change the content displayed in the agents list/details view pane: New | Agent Use the New | Agent command to deploy a new agent. View Expand the View command and select one of the following options to change how the objects in the agents list are displayed: •
Tiles
•
Icons
•
List
•
Details (default)
Arrange By Expand the Arrange By command and select the appropriate option to change the sort order for the displayed objects. The sort options available are based on the container selected in the explorer view. More specifically, the options will match the column headings in the agents list.
Agents
24
NetControl
Arrange By | Show in Groups Use the Arrange By | Show in Groups command to group the objects in the list based on the sort method selected. A check mark in front of this command will display the objects in groups with corresponding headings. Refresh Use the Refresh command to retrieve and display the latest information.
Considerations for Deploying Agents Prior to deploying agents, carefully consider the following items: • Agent(s) will be running with elevated privileges, so ensure you have followed Microsoft’s Best Practices for Securing Service Accounts. • Consider grouping agents based on geographical location and the security required to access the managed content: •
Deploying agents close to the objects being managed will help reduce the amount of WAN traffic.
•
If you have highly sensitive data that will be managed or are required to operate under the principals of least privilege, then grouping resources by security level is paramount.
• Review the default application security and start granting access as required to interested parties (See Chapter 3: Application Security on page 15 for information on building a secure deployment). For example: •
Restrict who can modify agent groups
•
Restrict who can deploy agents
Deploying Agents Prior to deploying agents, please review ‘Considerations for Deploying Agents’ on page 24. To deploy agents: 1. Select Resources from the navigation pane. 2. Select Agents from the explorer view. 3. Select the New | Agent tool bar button or right-click menu command. This will display the New Agent Deployment dialog allowing you to specify the computers where an agent is to be deployed. 4. On the Servers page of this dialog, use the appropriate Add option to deploy an agent to an individual computer or to all computers in a computer list. • Use the Add | Computer option to deploy an agent to an individual computer. Selecting this option will display the native Select Computers dialog allowing you to specify the computer to be included. • Use the Add | Computer List option to deploy an agent to all the computers in a given computer list. Selecting this button will display the Select a Computer List dialog allowing you to select the computer list to be used.
Agents
NetControl
25
5. On the Servers page, also enter a descriptive comment and the logon credentials for the account the agent is to run as. 6. Open the Agent Groups page to add the agent(s) to an agent group. On this page, select the Add button to display the Select an Agent Group dialog where you can select or create an agent group to which the agent is to be assigned. 7. After specifying where agents are to be deployed, select the OK button to close the dialog and start the deployment process. The status of the deployed agents will be displayed in the Agents object list.
New Agent Deployment Dialog The New Agent Deployment dialog is displayed when the New | Agent tool bar button or rightclick menu command is selected from the Agents pane. From this dialog, you can specify the computers to which agents are to be deployed. You can deploy agents to an individual computer or all computers in a computer list. You can also assign these agents to agent groups as part of the deployment process. This dialog consists of two tabbed pages: • Servers – use the Servers page to specify the server to which agents are to be deployed and the user account the agent is to run as. • Agent Groups – use the Agent Groups page to assign the deployed agents to one or more agent groups.
Servers Page From the Servers page, specify the server(s) to which an agent is to be deployed. The information entered on this page will be displayed in the Agents object list when Agents is selected in the explorer view.
Agents
26
NetControl
Servers list box The servers list box displays the servers or computer lists to which a NetControl Agent Service is to be deployed. In addition to the server's/computer list's name, this list box also displays the type: Computer or Computer List. Use the appropriate Add option to add a computer or computer list to the list box. Add | Computer Use the Add | Computer option to add an individual server to the servers list box. Selecting this option will display the native Select Computers dialog allowing you to specify the computer to which an agent is to be deployed. Add | Computer List Use the Add | Computer List option to add a computer list to the servers list box. Selecting this option will display the Select a Computer List dialog allowing you to select a previously defined computer list or create a new computer list. When a computer list is selected, an agent will be deployed to all servers in the computer list. Remove Use the Remove button to remove the selected computer or computer list from the list box. If an agent has already been deployed, this command will also remove the agent from the selected machine(s). Select the computer or computer list to be removed and select the Remove button. NOTE: If an agent is removed before it completes any assigned jobs, the agent coordinator will reassign these unfinished jobs to another agent in the agent group. Comment Optionally, enter a description or comment regarding the agent(s) being deployed. Log on As: Account Enter or use the browse button to specify the user account that the agent is to run as. Selecting the browse button will display the native Select User dialog allowing you to locate and select the user account to be used. NOTE: This account must have access to the database and the rights to perform whatever tasks the agent is going to be asked to do. For example, if the agent is to delegate Active Directory permissions, this account must have the rights to modify permissions over the appropriate Active Directory objects. Log on As: Password Enter the password associated with the specified user account.
Agents
NetControl
27
Agent Groups Page Use the Agent Groups page to add the newly deployed agent(s) to one or more agent groups. Group agents to provide load balancing and fault tolerant processing centers. Distributing all tasks across the processing group, ensures tasks are processed as quickly as possible. Additionally, the processing group creates fault tolerance, so if an agent becomes unavailable, all unfinished work is redistributed across the processing center.
Agent Group list box The agent group list box displays the agent group(s) to which the agent(s) being deployed are to be assigned. Use the Add and Remove buttons to add/remove agent groups to/from this list. Add Use the Add button to add agent groups to the list box. Selecting this button will display the Select an Agent Group dialog allowing you to select one or more agent groups from a list of previously defined agent groups or to create a new agent group. Remove After agent groups have been added and are displayed in the agent group list box, use the Remove button to remove an agent group from the list box. If an agent is already assigned to an agent group in the list, this command will also remove that agent from the selected agent group. Select the agent group to be removed and select the Remove button.
Agents
28
NetControl
Select a Computer List Dialog The Select a Computer List dialog is displayed when the Add | Computer List option is selected on the Servers page of the New Agent Deployment dialog. From this dialog, select the computer list(s) to which NetControl Agents are to be deployed. That is, an agent will be deployed to all the servers included in the computer list. This dialog is also displayed when the Add | Computer List option is selected on the Computers page of the New Collector dialog. When accessed from this dialog, select the computer list(s) from which data is to be collected.
Explorer View The explorer view, in the left pane, displays a hierarchy of the folders created to organize computer lists. Click the node next to a container or double-click a container to expand the folder structure to locate the computer list(s) to be used. Select a container to view the computer lists created in the selected container. Right-click the Computer List folder (or other user-defined folder) in the explorer view to display the following commands: New | Computer List Use the New | Computer List command to create a new computer list. Selecting this command will display the New Computer List dialog allowing you to define a new computer list. New | Folder Use the New | Folder command to create a new folder for organizing your computer lists. Selecting this command will add a new folder under the currently selected container in the explorer view. Delete Use the Delete command to remove a user-defined container from the explorer view and any child containers or objects created in the selected container. This command is only available for user-defined containers.
Agents
NetControl
29
Rename Use the Rename command to change the name of the selected container. This command is only available for user-defined containers. Permissions Use the Permissions command to display the delegated permissions for the selected container. Selecting this command will display the Permissions dialog allowing you to view, add or remove permissions. For more details on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Refresh Use the Refresh command to retrieve and display the latest information on the dialog.
Object List The object list, in the right pane, is populated based on the folder selected in the explorer view. From this list box, select the computer list(s) to which an agent is to be deployed. Right-click a computer list in the object list to display the following commands: Delete Use the Delete command to remove the computer list from the object list. Properties Use the Properties command to display the properties set for the selected computer list. Selecting this command will display the Properties dialog allowing you to view or modify the computers included in the selected computer list. NOTE: This dialog contains the same tabbed pages as the New Computer List dialog. See ‘Computer Lists Pane’ on page 40 for a description of this dialog.
Select an Agent Group Dialog The Select an Agent Group dialog is displayed when the Add button is selected on the Agent Groups page of the New Agent Deployment dialog. From this dialog, select the agent group(s) to which the deployed agents are to be added.
Agents
30
NetControl
Explorer View The explorer view, in the left pane, displays a hierarchy of the folders created to organize agent groups. Click the node for a container or double-click a container to expand the folder structure to locate the agent group(s) to be included. Select a container to display the agent groups created in the selected container. Right-click the Agent Groups folder (or other user-defined folder) in the explorer view to display the following commands: New | Agent Group Use the New | Agent Group command to create a new agent group. Selecting this command will display the New Agent Group dialog allowing you to define a new agent group. New | Folder Use the New | Folder command to create a new folder. Selecting this command will add a new folder under the currently selected container in the explorer view. Delete Use the Delete command to remove a user-defined container from the explorer view and any child containers or objects created in the selected container. Rename Use the Rename command to change the name of the selected container. This command is only available for user-defined containers. Permissions Use the Permissions command to display the delegated permissions for the selected container. Selecting this command will display the Permissions dialog allowing you to view, add or remove permissions. For more details on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Refresh Use the Refresh command to retrieve and display the latest information on the dialog.
Agents
NetControl
31
Object List The object list, in the right pane, is populated based on the folder selected in the explorer view. From this list box, select the agent group(s) to be added to the agent group list box back on the originating dialog. That is, the newly deployed agent will be assigned to this agent group. Right-click an agent group in the object list to display the following commands: Move to Use the Move to command to move the selected object to a different folder. Selecting this command will display the Select a Folder dialog allowing you to select the folder to which the object is to be moved. Delete Use the Delete command to remove the agent group from the object list. Permissions Use the Permissions command to display the delegated permissions for the selected object. Selecting this command will display the Permissions dialog allowing you to view, add or remove permissions. For more details on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Properties Use the Properties command to display the properties set for the selected agent group. Selecting this command will display the Properties dialog allowing you to view or modify the agents included in the selected agent group. NOTE: This dialog contains the same tabbed pages as the New Agent Group dialog. See ‘Creating Agent Groups’ on page 33 for a description of this dialog.
Agents
NetControl
33
Chapter 5: Agent Groups Using the Resources pane in the NetControl console, you can create and maintain agent groups. An agent group is a collection of one or more servers running the NetControl Agent Service. Workload for an agent group is distributed across all agents in the processing group thus allowing for process load balancing. The NetControl application provides no restrictions for grouping. Agents can be grouped based on geographical location, applications, or resource security level. Most often, geography and security level determine how agents are grouped. This ensures that processing does not occur across the WAN and that agents will be provided the proper level of security to the underlying data. One agent in an agent group will assume the role of the coordinator. The coordinator will check and verify that each agent in the agent group is updating within the allowed update notification interval. In the event of agent failure, the coordinator will redistribute the unfinished workload of the failed agent to the remaining agents in the agent group. Fault tolerance is built in at the agent and coordinator level—if the coordinator fails, another agent in the agent group will assume that role. Refer to the documentation for each deployed NetPro application to determine if it uses agent groups to organize agents. This chapter provides the following information and procedures: •
Agent Groups Pane
•
Creating Agent Groups
Agent Groups
34
NetControl
Agent Groups Pane The Agent Groups window is displayed when Agent Groups is selected in the explorer view of the Resources pane. From this pane you can define agent groups and view where these agent groups are being used.
Explorer View The explorer view displays a hierarchy of folders created to organize your agent groups. Agent Groups List The agent groups list displays a list of agent groups created under the container selected in the explorer view. The following information is displayed for each agent group: •
Name – the name assigned to the agent group when it was created
•
Comment – the comment or descriptive text entered when the agent group was created
Right-click an object in the agent groups list to perform tasks related to the selected object. Move to Use the Move to command to move the selected agent group to a different folder in the explorer view. Selecting this command will display the Select a Folder dialog allowing you to select the folder to which the agent group is to be moved. Delete Use the Delete command to remove the agent group from the agent groups list.
Agent Groups
NetControl
35
Permissions Use the Permissions command to display the delegated permissions for the selected agent group. Selecting this command will display the Permissions dialog allowing you to view, add or remove permissions. For more details on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Properties Use the Properties command to display the properties set for the selected agent group. Selecting this command will display the Properties dialog allowing you to view or modify the security permissions applied to the selected agent group. Details View The details view displays information about the resource components (for example, collectors, schedules, etc.) that are associated with the agent group selected in the object list. The following information is displayed: •
Name – the name of the resource component linked to the selected agent group
•
Comment – the comment or descriptive text entered when the resource component was created
•
Type – the type of resource component linked to the selected agent group
Right-click in the agent groups list pane (not an object in the list) or details view pane to display the following commands allowing you to change the content displayed in the agent groups list/ details view pane: New | Agent Group Use the New | Agent Group command to create a new agent group. View Expand the View command and select one of the following options to change how the objects in the object list are displayed: •
Tiles
•
Icons
•
List
•
Details (default)
Arrange By Expand the Arrange By command and select the appropriate option to change the sort order for the displayed objects. The sort options available are based on the container selected in the explorer view. More specifically, the options will match the column headings in the agent groups list. Arrange By | Show in Groups Use the Arrange By | Show in Groups command to group the objects in the list based on the sort method selected. A check mark in front of this command will display the objects in groups with corresponding headings.
Agent Groups
36
NetControl
Refresh Use the Refresh command to retrieve and display the latest information.
Creating Agent Groups You can create an agent groups and assign agents to this group at a later time or you can create agent groups and assign agents to the group at creation time. You can add or remove agents to existing agent groups at any time. NOTE: Agents can belong to more than one agent group. To create an ‘empty’ agent group: Creating an 'empty' agent group allows you to assign deployed agents to this group at a later time. For example, by creating an ‘empty’ agent group before deploying agents, you can assign agents to this group as part of the deployment process. 1. Select Resources from the navigation pane. 2. Select Agent Groups from the explorer view. 3. Select the New | Agent Group tool bar button. (Or right-click Agent Groups and select the New | Agent Group menu command.) This will display the New Agent Group dialog where you can name the agent group. 4. On the General page, enter a descriptive name and an optional comment to describe the agent group. 5. After entering a name and description, use the OK button to close the dialog and create the 'empty' agent group. The newly created agent group will be displayed in the Resources object list when Agent Groups is selected in the explorer view. To create an agent group with agents: 1. Select Resources from the navigation pane. 2. Select Agent Groups from the explorer view. 3. Select the New | Agent Group tool bar button or right-click menu command. This will display the New Agent Group dialog where you can name and specify the agents that are to belong to this agent group. 4. On the General page, enter a descriptive name and an optional comment to describe the agent group. 5. Open the Agents page and select the Add button. This will display the Select an Agent dialog allowing you to select the agent(s) to be added to the agent group. 6. On the Agents page, you can also update the Update Notification time as desired. This interval is used by the coordinator to determine if the other agents in the group are updating within the specified time. 7. After entering a name and selecting the agents to be added, use the OK button to close the dialog and create the agent group. The newly created agent group will be displayed in the Resources object list when Agent Groups is selected in the explorer view.
Agent Groups
NetControl
37
To add (or remove) an agent to an agent group: 1. Open the Resources pane and select Agent Groups from the explorer view. 2. Expand the folder structure in the explorer view and locate the agent group to which agents are to be added or removed. 3. In the object list, right-click the agent group and select Properties. 4. This will display the Properties dialog for that agent group. Use the Agents page of this dialog to add (or remove) an agent to the selected agent group.
New Agent Group Dialog The New Agent Group dialog is displayed when the New | Agent Group tool bar button or the right-click menu command is used when Agent Groups (or a subordinate folder) is selected in the explorer view of the Resources pane. This dialog consists of two tabbed pages: • General – use the General page to enter a name and description for the new agent group. • Agents – use the Agents page to specify the agents to be included in the agent group.
General Page From the General page, specify the general information for the agent group. The information entered on this page will be displayed in the Resources object list when Agent Groups is selected in the explorer view.
Name Enter a descriptive name for the new agent group. Example: US New York Mid-Town Data Center File Servers
Agent Groups
38
NetControl
Comment Optionally, enter a description or comment for the new agent group. Example: Agents in this agent group have been granted privileged access only to set permissions on all file servers in the Mid-Town Data Center location for New York City. (Note a separate agent group has been defined for the Financial Center.)
Agents Page From the Agents page, specify the servers to which a NetControl Agent has been deployed that are to be included in the agent group.
Agent list box This list box displays the agented servers to be included in the new agent group. It includes the server name and any comments that were entered when the agent was deployed. Add Use the Add button to add an agent to the agent group. Selecting this button will display the Select an Agent dialog allowing you to select the agent(s) to be included. Remove After agents have been added and are displayed in the Agent list box, use the Remove button to remove an agent from the list box (and the agent group). Select the agent to be removed and select the Remove button. Update Notification minutes The Update Notification interval is used by the coordinator to determine if all of the agents in the selected agent group are updating within the specified time. The default interval is 5 minutes.
Agent Groups
NetControl
39
Select an Agent Dialog The Select an Agent dialog is displayed when the Add button is selected on the Agents page of the New Agent Group dialog. From this dialog, select the agent(s) to be included in the new agent group.
Explorer View The explorer view, in the left pane, displays a hierarchy of the folders created to organize deployed NetControl Agents. Click the node next to the container or double-click a container to expand the folder structure to locate the agent(s) to be included. Select a container to display the agents deployed under the selected container. Right-click the Agents folder (or subfolder) in the explorer view to display the following commands: New | Agent Use the New | Agent command to deploy a NetControl Agent to a specified server. Selecting this command will display the New Agent Deployment dialog allowing you to select the server(s) to which an agent is to be deployed. Refer to ‘New Agent Deployment Dialog’ on page 25 for a description of the New Agent Deployment dialog. New | Folder Use the New | Folder command to create a new folder to organize the deployed agents. Selecting this command will add a new folder under the currently selected container in the explorer view. Delete Use the Delete command to remove a user-defined container from the explorer view and any child containers or objects created in the selected container. This command is only available for user-defined containers. Rename Use the Rename command to change the name of the selected user-defined container. This command is only available for user-defined containers.
Agent Groups
40
NetControl
Permissions Use the Permissions command to display the delegated permissions for the selected container. Selecting this command will display the Permissions dialog allowing you to view, add or remove permissions. For more details on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Refresh Use the Refresh command to retrieve and display the latest information on the dialog.
Object List The object list, in the right pane, is populated based on the folder selected in the explorer view. From this list box, select the agent(s) to be included in the agent group. Right-click an agent in this list box to display the following commands: Start Use the Start command to start the agent service. Stop Use the Stop command to stop the agent service. Move to Use the Move to command to move the selected object to a different folder. Selecting this command will display the Select a Folder dialog allowing you to select the folder to which the object is to be moved. Remove Use the Remove command to remove the agent service from the selected sever. Permissions Use the Permissions command to display the delegated permissions for the selected object. Selecting this command will display the Permissions dialog allowing you to view, add or remove permissions. For more details on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Properties Use the Properties command to view the properties defined for the selected agent. Selecting this command will display the Properties dialog for the agent allowing you to modify the server credentials as well as the agent group(s) to which this agent is currently assigned. NOTE: This dialog contains the same tabbed pages as the New Agent Deployment dialog with the exception of the Change Service credentials check box. See ‘New Agent Deployment Dialog’ on page 23 for a description of the information provided in this dialog.
Agent Groups
NetControl
41
Chapter 6: Computer Lists Using the Resources pane in the NetControl console, you can create and maintain computer lists. A computer list is a way to group physical computer resources based on explicit or dynamically generated content. When using the LDAP query or Script options, the computer list will be regenerated each time the computer list is used. The benefit of using dynamically generated computer lists, is that when new servers come online matching the criteria defined, they are automatically added to the computer list. This eliminates the need to manually add new servers each time. Refer to the documentation for each deployed NetPro application to determine if it can use computer lists. This chapter provides the following information and procedure: •
Computer Lists Pane
•
Building Computer Lists
Computer Lists
42
NetControl
Computer Lists Pane The Computer Lists pane is displayed when Resources is selected in the navigation pane and Computer Lists is selected in the explorer view of the Resources pane. From this pane you can define computer lists and see to which components it is linked.
Explorer View The explorer view displays a hierarchy of folders created to organize your computer lists. Computer Lists View The computer lists view displays a list of computer lists created under the container selected in the explorer view. The following information is displayed for each computer list: •
Name – the name assigned to the computer list when it was created
•
Comment – the comment or descriptive text entered when the computer list was created
Right-click an object in the computer list view to perform tasks related to the selected object. Move to Use the Move to command to move the selected computer list to a different folder in the explorer view. Selecting this command will display the Select a Folder dialog allowing you to select the folder to which the computer list is to be moved.
Computer Lists
NetControl
43
Delete Use the Delete command to remove the selected computer list from the computer lists view. Permissions Use the Permissions command to display the delegated permissions for the selected computer list. Selecting this command will display the Permissions dialog allowing you to view, add or remove permissions. For more details on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Properties Use the Properties command to display the properties set for the selected computer list. Selecting this command will display the Properties dialog allowing you to view or modify the security permissions applied to the selected computer list. Details View The details view displays information about the resource component to which the computer list selected in the computer list view is linked. The following information is displayed: •
Linked To – the name of the resource component associated with the selected computer list
•
Comment – the comment or descriptive text entered when the linked resource component was created
•
Type – the type of resource component linked to the selected computer list
Right-click in the computer lists pane (not an object in the list) or details view pane to display the following commands allowing you to change the content displayed in the computer list/ details view pane: New | Computer List Use the New | Computer List command to create a new computer list. View Expand the View command and select one of the following options to change how the objects in the computer list view are displayed: •
Tiles
•
Icons
•
List
•
Details (default)
Arrange By Expand the Arrange By command and select the appropriate option to change the sort order for the displayed objects. The sort options available are based on the container selected in the explorer view. More specifically, the options will match the column headings in the computer lists view.
Computer Lists
44
NetControl
Arrange By | Show in Groups Use the Arrange By | Show in Groups command to group the objects in the list based on the sort method selected. A check mark in front of this command will display the objects in groups with corresponding headings. Refresh Use the Refresh command to retrieve and display the latest information.
Building Computer Lists Using the Resources pane, you can create computer lists using one of three methods: • creating an explicit list • generating a list based on an LDAP query • generating a list based on a script To build an explicit computer list: 1. Select Resources from the navigation pane to open the Resources pane. 2. Select Computer Lists from the explorer view. 3. Select the New | Computer List tool bar button or right-click menu command. This will display the New Computer List dialog where you can name and build the computer list. 4. On the General page, enter a descriptive name and an optional comment to describe the computer list. 5. Proceed to the Computers page, and in the Type box select Computers. 6. Select the Add button to display the native Select Computers dialog. From this dialog, select the computers to be included in this computer list. 7. After entering a name and specifying the computers to be included in the list, use the OK button to close the dialog and save the computer list. 8. The newly created computer list will be displayed in the object list when Computer Lists is selected in the explorer view. To build a dynamic computer list based on an LDAP query: 1. Select Resources from the navigation pane to open the Resources pane. 2. Select Computer Lists from the explorer view. 3. Select the New | Computer List tool bar button or right-click menu command. This will display the New Computer List dialog where you can name and build the computer list. 4. On the General page, enter a descriptive name and an optional comment to describe the computer list. 5. Proceed to the Computers page, and in the Type box select LDAP query and fill in the requested information: • Container – optionally enter or use the browse button to select the container to be searched. • Scope – select the scope (entire subtree or immediate children only).
Computer Lists
NetControl
45
6. Use the Generate button to build the LDAP query. Selecting this button will display the native Find Computers dialog allowing you to specify the criteria to be used in the query. After entering the criteria to be included in the LDAP query, select the OK button. The LDAP query will be displayed in the text box back on the New Computer List dialog. For example, to query Active Directory for all domain controllers with names ending with DC001, enter the following information to create the LDAP query: On the Find Computers dialog, enter: Computer Name: *DC001 Role: Domain Controller Back on the Computers tab, the Filter text box should read: (primaryGroupID=516)(name=*DC001) 7. Optionally use the Test button to search Active Directory using the query generated. A results dialog will be displayed listing the computers that currently match the criteria specified. 8. After entering a name and generating the LDAP query to be used to build the computer list, use the OK button to close the dialog and save the computer list. 9. The newly created computer list will be displayed in the object list when Computer Lists is selected in the explorer view. To build a dynamic computer list based on a script: 1. Select Resources from the navigation pane to open the Resources pane. 2. Select Computer Lists from the explorer view. 3. Select the New | Computer List tool bar button or right-click menu command. This will display the New Computer List dialog where you can name and build the computer list. 4. On the General page, enter a descriptive name and an optional comment to describe the computer list. 5. Proceed to the Computers page, and in the Type box select Script. 6. In the Language box, select the type of script to be created: VBScript (default) or JScript. 7. In the text box, enter the script to be executed. For example, to query all workstations or servers running Windows 2003 R2 with names ending in MEM01 and DC01, you could enter the following VB script: Function GetComputerList() Dim Results() i = 0 Set rootDSE = GetObject(“LDAP://RootDSE”) defaultNC = rootDSE.Get(“defaultNamingContext”) Set oCommand = CreateObject(“ADODB.Command”) Set oConnect = CreateObject(“ADODB.Connection”) oConnect.Provider = “ADsDSOObject” OConnect.Open “Active Directory Provider” oCommand.ActiveConnection = oConnect sContainer = “”
Computer Lists
46
NetControl
sFilter = “(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystemVersion=5.2 \283790\29)(|(cn=*MEM01)(cn=*DC01)))” sAttrib = “cn” sQuery = sContainer & “;” & sFilter & “;” & sAttrib & “;subtree” oCommand.CommandText = sQuery Set oRecordSet = oCommand.Execute Do until oRecordSet.EOF i = i + 1 ReDIM PRESERVE Results(i) Results(i) = oRecordSet.Fields(“cn”).value oRecordSet.MoveNext Loop oConnect.Close GetComputerList = Results End Function
8. Optionally use the Test button to run the script to generate the computer list. A results dialog will be displayed listing the computers that currently match the criteria specified. 9. After entering a name and the script to be used to build the computer list, use the OK button to close the dialog and save the computer list. 10.The newly created computer list will be displayed in the object list when Computer Lists is selected in the explorer view.
New Computer List Dialog The New Computer List dialog is displayed when the New | Computer List tool bar button or right-click menu command is used when Computer Lists (or subordinate folder) is selected in the explorer view of the Resources pane. This dialog is also displayed when the New | Computer List right-click menu command is selected from the Select a Computer List dialog. From this dialog you will define computer lists which can then be used to deploy agents or assigned to jobs that need to be performed. This dialog consists of two tabbed pages: • General – use the General page to enter a name and description for the computer list. • Computers – use the Computer page to define the computers to be included in the new computer list.
Computer Lists
NetControl
47
General Page From the General page, specify the general information for the computer list. The information entered on this page will be displayed in the Resources object list when Computer Lists is selected in the explorer view.
Name Enter a descriptive name for the new computer list. Comment Optionally, enter a description or comment for the new computer list.
Computers Page From the Computers page, specify the type of list to be created and enter the required information to build the list. Type Use the drop-down menu to select the type of computer list to be built: •
Computers – Select this option to generate a static list consisting of an explicit list of computers.
•
LDAP Query – Select this option to dynamically generate a list of computers based on the criteria defined by an LDAP query.
•
Script – Select this option to dynamically generate a list of computers base on the criteria defined in a script.
The options on the dialog box will change depending on the type selected.
Computer Lists
48
NetControl
Computers
The following options are displayed when the Computers option is selected: Computers list box This list box displays the computer(s) to be included in the new computer list. Use the Add and Remove buttons to add/remove computers to/from this list box. Add Use the Add button to add a computer to the computer list. Selecting this button will display the native Select Computers dialog allowing you to select the machine(s) to be included. Remove After computers have been added and are displayed in the Computers list box, use the Remove button to remove a computer from the list box (and from the computer list). Select the computer to be removed and select the Remove button. LDAP Query
The following options are displayed when the LDAP Query option is selected: Container Optionally, use the browse button to locate a container to be searched.
Computer Lists
NetControl
49
Scope By default, the entire subtree will be searched, however, you can use the drop-down menu to search the immediate child only. Filter This text box will be populated after the LDAP query is created using the Generate button. After generating the query, this text box will display the LDAP query created based on the information specified in the Find Computers dialog. Generate Use the Generate button to specify the criteria to be used in the LDAP query. Selecting this button will display the native Find Computers dialog allowing you to specify the criteria to be used. Test Optionally, use the Test button to search Active Directory using the query generated. A results dialog will be displayed listing the computers that currently match the criteria specified in the LDAP query. Script
The following options are displayed when the Script option is selected. Script text box In this text box, enter the script to be used to create the computer list. Language Select the language to be used to create the script. By default, VBScript is selected; use the drop-down menu to change the language of the script to JScript if desired. Test Optionally, use the Test button to search Active Directory using the script entered. A results dialog will then be displayed listing the computers that currently match the criteria specified in the script.
Computer Lists
NetControl
51
Chapter 7: Schedules Using the Resources pane in the NetControl console, you can create and maintain schedules. In NetControl, jobs are designed to run based on a user-specified interval. Often times, administrators want many operations to occur at the same time (for example, every night at midnight). Schedules allow you to express the preferred time(s) for operations to occur. Then you can link the appropriate jobs to the defined schedule. That is, all operations that occur at midnight can be defined by a single management point. Schedules also provide the flexibility to disable scheduled tasks in the event of a required maintenance window. Additionally, if all jobs that occur at midnight need to move to 1:00 AM, due to a time change, the schedule can be adjusted once and all linked jobs will be updated. Refer to the documentation for each individual NetPro application to determine if your application can use the scheduling feature. This chapter provides the following information and procedure: •
Schedules Pane
•
Defining Schedules
Schedules
52
NetControl
Schedules Pane The Schedules pane is displayed when Resources is selected in the navigation pane and Schedules is selected in the explorer view of the Resources pane. From this pane you can define schedules and see to which components/jobs it is linked.
Explorer View The explorer view displays a hierarchy of folders created to organize your schedules. Schedules List The schedules list displays a list of schedules created under the container selected in the explorer view. The following information is displayed for each schedule: •
Name – the name assigned to the schedule when it was created
•
Comment – the comment or descriptive text entered when the schedule was created
Right-click an object in the schedules list to perform tasks related to the selected object. Move to Use the Move to command to move the selected object to a different folder in the explorer view. Selecting this command will display the Select a Folder dialog allowing you to select the folder to which the object is to be moved. Delete Use the Delete command to remove the selected schedule from the schedules list.
Schedules
NetControl
53
Enabled Use the Enabled command to enable and disable the selected schedule. A check mark to the left of the Enabled command means the schedule is enabled. Permissions Use the Permissions command to display the delegated permissions for the selected schedule. Selecting this command will display the Permissions dialog allowing you to view, add or remove permissions. For more details on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Properties Use the Properties command to display the properties set for the selected schedule. Selecting this command will display the Properties dialog allowing you to view or modify the security permissions applied to the selected schedule. Details View The details view displays information about the resource component (for example, collector, agent, schedule) to which the schedule selected in the object is linked. The following information is displayed: •
Linked To – the name of the resource component associated with the selected schedule
•
Comment – the comment or descriptive text entered when the linked resource component was created
•
Type – the type of resource component linked to the selected schedule
Right-click in the schedules list pane (not an object in the list) or details view pane to display the following commands allowing you to change the content displayed in the schedules list/ details view pane: New | Schedule Use the New | Schedule command to create a new schedule. View Expand the View command and select one of the following options to change how the objects are displayed: •
Tiles
•
Icons
•
List
•
Details (default)
Arrange By Expand the Arrange By command and select the appropriate option to change the sort order for the displayed objects. The sort options available are based on the container selected in the explorer view. More specifically, the options will match the column headings in the schedules list.
Schedules
54
NetControl
Arrange By | Show in Groups Use the Arrange By | Show in Groups command to group the objects in the list based on the sort method selected. A check mark in front of this command will display the objects in groups with corresponding headings. Refresh Use the Refresh command to retrieve and display the latest information.
Defining Schedules Using the Resources pane, you can create schedules that define the desired time(s) for operations to occur. These schedules can then be linked to the appropriate jobs. This resource eliminates the need to define a schedule each time a job is to be executed. To define a new schedule: 1. Select Resources from the navigation pane to open the Resources pane. 2. Select Schedules from the explorer view. 3. Select the New | Schedule tool bar button or right-click menu command. This will display the New Schedule dialog where you can name and define the details of the schedule. 4. On the General page, enter a descriptive name and an optional comment to describe the schedule. 5. On the Details page, use the following controls to define the details of the schedule: • Type: Select Daily, Weekly or Monthly • Occurs: Select Once at or Every hours starting at • On: Select the day or day of the month 6. After entering a name and the details of the schedule, use the OK button to close the dialog and create the schedule. The newly created schedule will be displayed in the Resources object list when Schedules is selected in the explorer view.
New Schedule Dialog The New Schedule dialog is displayed when the New | Schedule tool bar button or right-click menu command is used when Schedules (or a subfolder) is selected in the explorer view of the Resources pane. From this dialog, you will define a schedule which can then be linked to the jobs that are to run at that time. This dialog consists of two tabbed pages: • General – use the General page to enter a name and description for the new schedule. • Details – use the Details page to define the time interval for the schedule.
Schedules
NetControl
55
General Page From the General page, specify the general information for the schedule. The information entered on this page will be displayed in the Resources object list when Schedules is selected in the explorer view.
Name Enter a descriptive name for the new schedule. Comment Optionally, enter a description or comment for the new schedule.
Details Page From the Details page, specify the details for this schedule.
Type Use the drop-down menu to select one of the following schedules: •
Daily (default)
•
Weekly
•
Monthly
Schedules
56
NetControl
Occurs Select one of the following options to define when the schedule is to occur: •
Once at
•
Every hour(s) starting at
On When the Weekly schedule is selected, select the check boxes for the days of the week to be included in this schedule.
When the Monthly schedule is selected, select one of the following options: •
The day of the month
•
The <1st, 2nd, 3rd, 4th, Last> of the month (for example, the 1st Sunday of the month)
Schedule is disabled Select this check box to disable the current schedule. When this check box is selected, the jobs linked to the disabled schedule will not run until this check box is cleared (not checked).
Schedules
NetControl
57
Chapter 8: Collectors Using the collectors in the NetControl console, organizations can set up collections to gather data. NetPro data collectors leverage the agents and schedules defined by the NetControl platform to collect data, which is returned to the requesting application’s database for processing. The Collectors tab is available in the navigation pane when NetControl is installed. However, there must be a NetPro application deployed that uses the collectors before data collections can be configured. This chapter provides the following information: •
Collectors Pane
•
Defining a Collector
Please refer to the documentation for each deployed application for more specific information on the collectors used by each individual application.
Collectors
58
NetControl
Collectors Pane The Collectors pane is displayed when Collectors is selected in the navigation pane. From this pane, you can define data collections and see to which components each collector is linked. The following screen shot is from the LogADmin application.
Explorer View The explorer view displays a hierarchy of folders created to organize your data collections. The types of data collections available are based on the licensed NetPro application(s) deployed. Object List The object list displays a list of data collections for the container selected in the explorer view. The following information is displayed for each collection: •
Name – the name of the data collection
•
Comment – the descriptive text entered when the collection was defined
•
Schedule – the schedule assigned to the data collection
Details Pane The details view displays information about when the data collection process was run. The following information is displayed when a data collection is selected in the object list:
Collectors
•
Run Date – the date when the data collection process was run
•
Elapsed Time – the amount of time it took to complete the data collection process
•
Status – the current status of the data collection process
NetControl
59
Defining a Collector The following steps are general instructions for defining collectors. Since each deployed product collects a different set of data, please refer to the documentation for each deployed application for complete instructions on setting up data collections for that application. 1. Log on to the NetControl console. 2. Select the Collectors button in the navigation pane to open the Collectors pane. 3. Depending on the NetPro product, select the appropriate item in the explorer view. (The objects displayed depend upon the NetPro product(s) that are deployed.) 4. Select the New | Collector tool bar button or right-click command to display the New Collector dialog. 5. On the General page, enter a descriptive name and an optional comment to describe the collector. 6. On the Schedule page, select the schedule to be used for the data collection process. 7. On the Agent Groups page, select the agent group that contains the server(s) to be used to collect the data. NOTE: Depending on the type of collector being defined, there are additional pages that must be configured. Please refer to the documentation for each individual application for more information on the different collectors and the additional information required.
New Collector Dialog The New Collector dialog is displayed when the New | Collector menu or tool bar button is selected in the explorer view of the Collectors pane. The New Collector dialog, consists of the following pages where NetControl components are configured for the purpose of collecting data: • General - use this page to enter a name and description for the data collector • Schedule – use this page to schedule the data collection process • Agent Groups – use this page to select the agent group that contains the server(s) that are to collect the data There are additional pages that must be configured. However, they are application specific and depend on the NetPro application deployed. The example screen captures are from the NetPro’s AccessManager.
Collectors
60
NetControl
General Page From the General page, specify general information about the data collection.
Name Enter a descriptive name for the new collection. Comment Optionally, enter a description or comment for the new collection.
Schedule Page Use the Schedule page to link a schedule to the data collection to define when the data is to be collected. A schedule must be set otherwise data is not collected.
Schedule Use the browse button to display the Select a Schedule dialog allowing you to select from a list of previously defined schedules or create a new schedule. For a description of the Select a Schedule dialog, see ‘Defining Schedules’ on page 49. Clear Use the Clear link to clear the contents of the Schedule box.
Collectors
NetControl
61
Edit If there is a schedule displayed in the box, use the Edit link to open the properties page for the schedule to change the details for the schedule.
Agent Groups Page Use the Agent Groups page to select the agent group to be associated with the data collection. That is, select the agent group that contains the server(s) to be used to collect the data. NOTE: You must select an agent group. A message is displayed if there is no agent group selected.
Agent Groups List Box This list box displays the agent group(s) associated with the new collector. Use the Add and Remove buttons to add/remove agent groups to/from this list box. Add Use the Add button to add agent groups to the list box. Selecting this button will display the Select an Agent Group dialog allowing you to select the agent group(s) to be used to collect the data. For a description of the Select an Agent Group dialog, see ‘Creating Agent Groups’ on page 33. Remove After agent groups have been added and are displayed in the Agent Groups list box, use the Remove button to remove an agent group from the list box. Select the agent group to be removed and select the Remove button.
Collectors
NetControl
63
Chapter 9: Active Directory Management Console NetControl automatically deploys the Active Directory Management Console (ADMC) and activates an Active Directory Users and Computers (ADUC) Extension. The ADMC allows you to modify Active Directory objects similar to using ADUC. In addition, using the ADMC you can define provisioning rules or assign workflow to objects. Then when you initiate an Active Directory modification using either ADMC or ADUC, it will trigger the workflow or rules as previously defined. For more information about using the Active Directory Management Console, please go to http:/ /www.turbochargedad.com/. Warning NetControl 3.x also installs an ADUC extension which allows you to use the workflow and provisioning rules defined through the ADMC. If you select Cancel on the NetControl Connection dialog instead of connecting to the NetControl Console, ADUC will launch in a read-only mode and you will not be able to modify Active Directory objects. Please see Appendix C: Active Directory Users and Computers (ADUC) Extension on page 127 for more details. When using the ADMC, please keep the following considerations in mind: NOTE: ADMC uses native permissions, therefore if you do not have the proper rights to modify Active Directory objects, these functions will also be disabled through the ADMC. NOTE: Some ADUC right-click menu commands (such as copy and cut) are not available through the ADMC. We recommend using ADUC to perform these actions. NOTE: Not all MMC snap-ins (e.g., NetPro’s RestoreADmin or GPMC) will be available through the ADMC.
Active Directory Management Console
64
NetControl
This chapter provides the following information and procedures: •
Active Directory Management Console Pane
•
Creating a Custom View
•
Establishing a Connection
•
Creating Provisioning Rules
•
Configuring Workflow for an ADMC Action
Please refer to Chapter 10: Workflow on page 89 for a full description of the Workflow Editor and the Workflow pane from which you can view the workflow queue, and if assigned the proper roles, review and/or approve workflow items.
Active Directory Management Console Pane The Active Directory Management Console (ADMC) pane is displayed when the Active Directory button is selected in the NetControl navigation pane. From this pane, you can perform the same functions as you can using the Active Directory Users and Computers MMC snap-in. In addition, you can also perform the following tasks through the ADMC: • create custom views • establish a connection to Active Directory objects • create provisioning rules to manage updates to Active Directory content • define workflow items for modifying, creating and/or deleting Active Directory objects
Active Directory Management Console
NetControl
65
Explorer View The ADMC explorer view contains the following default nodes, which are empty upon initial deployment: •
Custom Views - This node contains user-defined containers that allow you to group objects across the forest in order to provide a central management point. Use the New | Custom View right-click command to create custom views.
•
Connections - This node contains connection points to a domain, the Configuration container or the Schema container. Use the New | Connection rightclick command to populate this node.
Right-clicking the Custom Views node in the explorer view of the ADMC will display the following commands: New | Custom View Use the New | Custom View command to define the contents of the new custom view. Selecting this command will display the Properties dialog allowing you to add objects to this custom view and define who can view and/or enumerate this custom view. Refresh Use the Refresh command to retrieve and display that latest information. Right-clicking a user-defined view under the Custom Views node in the explorer view of the ADMC will display the following commands: Delete Use the Delete command to remove the selected view from the ADMC explorer view. Refresh Use the Refresh command to retrieve and display the latest information. Permissions Use the Permissions command to display the Permissions dialog to view and/or modify the permissions to be delegated to the selected view. For more information on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Properties Use the Properties command to display the Properties dialog to modify the objects and/or visibility settings for the selected user-defined view. Right-clicking the Connections node in the explorer view of the ADMC will display the following commands: New | Connection Use the New | Connection command to establish a new connection. Selecting this command will display the Connection dialog allowing you to specify the connection point.
Active Directory Management Console
66
NetControl
Permissions Use the Permissions command to display the Connection Permissions dialog to view and/or modify the permissions to be delegated to the connections nodes. For more information on implementing application security and the Permissions dialog, see Chapter 3: Application Security on page 15. Refresh Use the Refresh command to retrieve and display the latest information. Right-clicking a container under the Connections node will display the following commands: New Expand the New command to add a new object to the selected Active Directory container. Rename Use the Rename command to rename the selected Active Directory container. Remove Use the Remove command to remove the selected Active Directory container. Rules and Workflow Use the Rules and Workflow command to define provisioning rules or workflow for the selected Active Directory container. NOTE: When both workflow and rules are applied to the same object, workflow will be applied but the rule will not be triggered. Properties Use the Properties command to display the native Properties dialog for the selected container. Account List The account list, in the right-hand pane, displays the accounts that belong to the Active Directory container selected in the explorer view. The following information is displayed: •
Name - the display name of the accounts that belong to the selected container in the explorer view
•
Class - the type of account (e.g., user, group, etc.)
•
Description - a brief description of each account listed
Right-clicking an account in the right-hand pane will display the following ADMC command in addition to the standard commands available through the Active Directory Users and Computers snap-in: Rules and Workflow Use the Rules and Workflow command to define provisioning rules or workflow for the selected Active Directory account. NOTE: When both workflow and rules are applied to the same object, workflow will be applied but the rule will not be triggered.
Active Directory Management Console
NetControl
67
Creating a Custom View Custom Views are user-created containers that allow you to group objects across the forest in order to provide a central management point. These views are similar to ADUC’s custom queries, except that you can specify who can access your custom views. Best Practice Recommendation Do not use built-in security groups in custom views.
To define a new custom view: 1. Select Active Directory from the navigation pane to open the ADMC pane. 2. Select the Custom Views node from the explorer view. 3. Select the New | Custom View right-click menu command. This will display the Properties dialog where you can assign a name, define the contents and specify who can access the new custom view. 4. On the General page, enter a descriptive name and an optional comment to describe the custom view. 5. On the Contents page, use one of the following tabs to define the contents of the custom view: •
Use the Objects tab to add objects directly to the custom view
•
Use the Queries tab to define a query to populate the custom view
6. On the Advanced page, define who can see and/or enumerate the custom view. 7. After assigning a name, defining the contents of the custom view and who can access the view, select the OK button to close the dialog and create the custom view. 8. Select F5 or use the Refresh tool bar button or right-click menu command to display the newly created view under the Custom Views node in the explorer view. 9. When a user-defined view is then selected, the accounts added to this view will be displayed in the Account list in the right-hand pane. 10.Similar to ADUC, you can right-click an account from the right-hand pane to manage your Active Directory objects. The same commands available through ADUC are also available in NetControl’s ADMC. In addition, using the ADMC, you can define provisioning rules or workflow for an Active Directory object.
Active Directory Management Console
68
NetControl
Properties Dialog The Properties dialog is displayed when the New | Custom View right-click menu command is used when Custom View is selected in the explorer view of the ADMC pane. From this dialog, you will define a group of objects to provide a central management point. This dialog consists of three tabbed pages: • General - use the General page to assign a name and description to the new custom view. • Contents - use the Contents page to populate the contents of the custom view. • Advanced - use the Advanced page to define who can use the custom view.
General Page Use the General page to provide a name and description for the new custom view.
Name Enter a descriptive name for the custom view. Comment Optionally, enter a description or comment for the new custom view.
Active Directory Management Console
NetControl
69
Contents Page Use the Contents page to populate the contents of the custom view. You can add objects directly using the Objects tab or by defining a query using the Queries tab.
Objects tab The list box on the Objects tab displays the objects that were added directly from the native Select Users, Contacts, Computers, or Groups dialog. Queries tab The list box on the Queries tab displays the objects added using the query defined on the Find Users, Contacts and Users dialog. Add Use the Add button to add objects to the custom view. From the Objects tab, selecting this button will display the native Select Users, Contacts, Computers, or Groups dialog allowing you to add objects directly to the custom view. From the Queries tab, selecting this button will display the native Find Users, Contacts and Users dialog to define a query to be used to populate the custom view. Edit Use the Edit button to edit the selected query. The Edit button is only available from the Queries tab. Remove Use the Remove button to remove the selected object from the custom view. Allow container expansion This check box is selected by default and will populate the explorer view with any container objects resolved during the enumeration of the custom view in a hierarchical tree view. If this option is not selected, the selected container will be expanded one level and objects will be displayed in the list view only.
Active Directory Management Console
70
NetControl
Advanced Page Use the Advanced page to define who can view/enumerate the custom view.
Only I can use this Custom View This option is selected by default and indicates that only you have access to the custom view. That is, only you will be able to view and/or enumerate the custom view. The Custom View can be used by the following accounts Select this option to specify the accounts that will be able to view and/or enumerate the custom view. Add When the second option is selected, use the Add button to add the accounts that are to have access to the custom view. Selecting this button will display the native Select Users or Groups dialog to select the accounts. Remove Use the Remove button to remove the selected account(s) from the list if you no longer want them to have access to the custom view.
Active Directory Management Console
NetControl
71
Establishing a Connection The Connections node in the ADMC explorer view allows you to establish a connection to a domain, the Configuration container or the Schema container. Once connected, you can administer Active Directory objects similar to using the Active Directory Users and Computers MMC snap-in. To establish a connection: 1. Select Active Directory from the navigation pane to open the ADMC pane. 2. Select the Connections node from the explorer view, right-click and select the New | Connection command. Selecting this command will display the Connection dialog allowing you to define the connection point. 3. On the Connection dialog, select one of the following options and enter the requested information: • Select a well-known naming context (domain, Configuration or Schema) • Enter a distinguished name 4. Optionally, select the option to enter a name and description for this connection. If you do not select this option, the name and description will be retrieved from the connection point. 5. After defining the connection point, select OK to create the connection which will populate the explorer view with a hierarchical tree view of the selected naming context. 6. When a container is then selected in the explorer view, the accounts in the selected container will be displayed in the Account list in the right-hand pane. 7. Similar to ADUC, you can right-click a container in the explorer view or an account from the Account list to manage your Active Directory objects. The same commands available through ADUC are also available in NetControl’s ADMC. In addition, using the ADMC, you can define provisioning rules or workflow around an Active Directory object.
Active Directory Management Console
72
NetControl
Connection Dialog The Connection dialog is displayed when the New | Connection right-click menu command is used when the Connections node is selected in the explorer view of the ADMC pane. From this dialog, you will define the connection point to be used (e.g., a domain, Configuration container or Schema container).
Select a well-know naming context Select this option to select a well-known naming context and use the drop-down arrow to select the naming context to be used for this connection: •
Domain (default)
•
Configuration
•
Schema
Enter a distinguished name Select this option to enter a distinguished name for the connection point to be used. Path This is a read-only field that displays the path of the distinguished name entered above. Specify a name and description for this connection Select this option to enter a name and description for the connection, which will be displayed in the tree view. If you do not select this option, the name and description will be retrieved from the connection point (e.g., the domain, Configuration container, etc.) Name Enter a descriptive name for this connection. Description Enter a description for this connection.
Active Directory Management Console
NetControl
73
Creating Provisioning Rules When creating rules through the ADMC, please keep this following notes in mind: NOTE: Modifying multiple properties of an object in a single operation may trigger multiple rules. Microsoft submits changes on a property page basis; therefore, each page being modified will create a new rule. NOTE: When both workflow and rules are applied to the same object, workflow will be applied but the rule will not be triggered. To create provisioning rules: 1. Log on to the NetControl console. 2. Select Active Directory in the navigation pane to display the ADMC. 3. Expand the Custom Views or Connections container to view the objects to which you have access. To set rules at the container level, right-click a container in the explorer view and select the Rules and Workflow command. To set rules at an object level, right-click an object in the right-hand pane and select the Rules and Workflow command to define a rule for the selected object. 4. Selecting the Rules and Workflow command will display the Configuration dialog. 5. Open the Rules page and select the Add button to launch the Rules Wizard. 6. On the first page of the Rules Wizard, define the operation that will invoke the rule to be triggered: • for all operations on any object • when an object is created • when an object is deleted • when the properties of an object are changed When you select an option from the top pane, a corresponding ‘when’ entry is added to the bottom pane. By default, any object classes will be selected; however, if you want to specify a specific object class, select the any object classes hyperlink to select (check) the object class(es) to which this rule is to be applied. Similarly, any property is selected by default which can be changed by selecting the any property hyperlink. NOTE: Only one operation can be specified per rule. 7. After defining the operation from this page, select the Next button to continue. 8. On the second page, optionally define what conditions must be satisfied in order for the rule to perform any configured actions. When you select (double-click) a condition from the top pane, a corresponding ‘where’ entry is added to the bottom pane. Click on the entry to display the Properties and Values dialog. On this dialog, select the property hyperlink to select a single property. Then select the value hyperlink to enter the value(s) to be used in the filter. 9. After entering the conditions for the rule, select the Next button to continue. 10.On the third page, select one or more actions that are to be performed if the rule is ‘satisfied’ based on the operation and conditions previously defined in the wizard.
Active Directory Management Console
74
NetControl
When you select an option from the top pane, a corresponding entry is added to the bottom pane. Select the hyperlink in the entry to add the details required. As you add actions to the rule, you will see the details of these actions displayed at the bottom of the Rules Wizard page. NOTE: The actions will be performed in the order they are listed in the bottom pane. There is currently no method for modifying the order, so be sure to select the actions in the desired order. Select the Next button to continue. 11.On the final page of the Rules Wizard, enter a name for the rule and enable or disable the rule. 12.Once the rule is created, it will be enforced for every operation to which it applies when that operation is performed through the NetControl ADMC pane.
Rules Wizard The Rules Wizard is launched when the Add button on the Rules page of the Configuration dialog is selected. From this wizard you can define provisioning rules for the selected container or object. The Rules Wizard contains the following pages: • Page 1: Defining the Action • Page 2: Setting Conditions for the Rule (Optional) • Page 3: Setting Actions for the Rule • Page 4: Verifying the Rule Settings
Rules Wizard - Page 1: Defining the Action Rules can be triggered on object modifications in the following ways: • specific condition on a specific object (e.g., when description changes on users) • specific operation on any object (e.g., when description changes on any object) • any operation on a specific object (e.g., when any property changes on a group) • any operation on any object (e.g., when any property changes on any object) • for all operations on any object • for any operation on a specific object (e.g., when any operation occurs on user) Additionally, rules can be triggered on creation and deletion operations: • when a specific object is created/deleted • when any object is created/deleted
Active Directory Management Console
NetControl
75
To define the operation that will invoke the rule to be triggered: 1. Select one of the following options from the top pane: •
For all operations on any object
•
When an object is created
•
When an object is deleted
•
When the properties of an object are changed
2. When you select an option from the top pane, a corresponding ‘when’ entry is added to the bottom pane. Only one operation can be specified. Therefore, selecting a new operation in the top pane will replace any entry displayed in the bottom pane. 3. If you want the rule to apply to a specific object class instead of all object classes, select the any object classes hyperlink in the entry to display the Object Type dialog which allows you to select (check) the object class(es) to be used in the rule. NOTE: ‘Any object class’ is selected (checked) by default. If you do not want this rule to apply to ‘any object’, you must deselect (uncheck) the ‘any object class’ check box in the Object Type dialog. 4. If you want the rule to apply to a specific property instead of all properties, select the any property hyperlink in the entry to display the Properties dialog to select (check) the properties to be used in the rule. 5. After defining the operation from this page, select the Next button to continue.
Active Directory Management Console
76
NetControl
Rules Wizard - Page 2: Setting Conditions for the Rule (Optional) This page of the Rules Wizard allows you to define what conditions must be satisfied in order for the rule to perform any configured actions (e.g., only happens if value is null or matches a specific string). Not selecting a condition means that the rule will trigger whenever the operation defined on page 1 of the Rules Wizard occurs.
To set conditions for the rule: 1. From the top pane on this page, double-click to select from the following conditions: •
Where property equals value
•
Where property does not equal value
•
Where property matches value (This is used for Regular Expression Matching See ‘Regular Expression Matching’ on page 82 for sample string and screen shot.)
•
Where property does not match value (This is used for Regular Expression Matching - See ‘Regular Expression Matching’ on page 82 for sample string and screen shot.)
•
Where property is empty
2. When you double-click a condition from the top pane, a corresponding ‘where’ entry is added to the bottom pane. You can specify multiple conditions and as you select (double-click) a condition in the top pane, a new entry will be added to the bottom pane with an AND operator, indicating that all of the conditions listed must be met before the rule will be triggered. To remove an entry from the bottom pane, right-click and select the Remove command.
Active Directory Management Console
NetControl
77
3. Select the entry to display the Properties and Values dialog. On this dialog, select the properties hyperlink to display the Properties dialog allowing you to select a single property. Then select the value hyperlink to display the Value Editor and enter the value(s) to be used in the filter. See ‘Value Editor’ on page 81 for more information on using the Value Editor. 4. After adding the conditions for the rule, select the Next button to continue.
Rule Wizard - Page 3: Setting Actions for the Rule This page of the wizard allows you to define what actions should be performed if the rule is ‘satisfied’ based on the operation and conditions previously defined in the wizard. These actions can be defined in several ways: • When the rule is processed. By default, rules are processed after the action is committed. There is an option that can be selected that will trigger the rule prior to committing the action, rather than after. NOTE: For a ‘delete’ operation, both the ‘This rule is applied before the operation is committed’ and the ‘Stop the operation from being committed’ options MUST be selected (checked). • Performing specific actions. Setting attributes to values; sending an email; moving an object; or running a script are all designed to help invoke changes. • Preventing the action that triggered the rule from being committed. This has to be used with the option ‘this rule is applied before the operation is committed’. NOTE: For a ‘delete’ operation, both the ‘This rule is applied before the operation is committed’ and the ‘Stop the operation from being committed’ options MUST be selected (checked). • Stop processing rules. If multiple rules are linked this would be used to prevent other rules from firing. Thus, if the rule is going to move a user to another location, one may want to prevent the other rules from firing in the chain.
Active Directory Management Console
78
NetControl
To set actions for the rule: 1. From the top pane, select (check) one ore more of the following options: •
This rule is applied before the operation is committed
•
Set property to value
•
Send an email to recipients
•
Move the object to location
•
Run a script
•
Stop the operation from being committed
•
Stop processing rules
2. When you select an option from the top pane, a corresponding entry is added to the bottom pane. Selecting (checking) multiple actions will add these actions to the bottom pane with an AND operator, indicating that all of the listed actions are to be performed. To remove an action from the list, deselect (uncheck) the action from the top pane. NOTE: The actions will be performed in the order they are listed in the bottom pane. There is no way to reorder the actions listed at this time; therefore, you will need to select the appropriate options from the top pane in the desired order. 3. Select the hyperlink in the entry to display an additional dialog allowing you to add the details required. The following table explains what dialogs are displayed for each of the options that creates an entry with a hyperlink.
Active Directory Management Console
NetControl
79
If you select: Set property to value
Select this entry to display the Properties and Values dialog where you can add one or more properties and set the property value. See ‘Properties and Values Dialog’ on page 80.
Send an email to recipients
Select the recipients hyperlink to display a dialog where you can enter one or more email addresses.
Move the object to location
Select the location hyperlink to display the Location dialog allowing you to locate and select the location to which the object is to be moved.
Run a script
Select the script hyperlink to launch the Script Editor dialog where you can enter a VBScript to be executed. Please refer to ‘Using the Script Editor’ on page 83 for more details on using the scripting function.
4. As you add actions to the rule, you will see the details of these actions displayed at the bottom of the Rules Wizard page. Select the Next button to continue.
Rules Wizard - Page 4: Verifying the Rule Settings From the final page of the Rules Wizard you will provide a name for your new rule and enable/ disable the rule.
Active Directory Management Console
80
NetControl
To complete the rule: 1. In the Name field, enter a descriptive name for the rule. 2. By default, the rule is enabled. However, if you would like to disable the rule, uncheck the Enable this rule check box. 3. At the bottom of the page, verify the rule’s settings. Use the Back button to return to a previous wizard page to modify your settings or select the Finish button to close the wizard and create the rule. 4. Once the rule is created, it will be enforced for every operation to which it applies when that operation is performed through the NetControl ADMC pane.
Properties and Values Dialog The Properties and Values dialog is displayed whenever you select a property/value entry in the bottom pane of page two (Select the Conditions for this rule) or page three (Select the actions for this rule) of the Rule Wizard. From this dialog you will specify properties and their corresponding property values.
To define a property and its corresponding value: 1. Select the property hyperlink to display the Properties dialog where you can select a single property. 2. After selecting a property from the Properties dialog, select OK to close the dialog and return to the Properties and Values dialog. 3. Back on the Properties and Values dialog, select the value hyperlink to launch the Value Editor. 4. Enter an explicit or literal value for the selected property: •
Explicit values are enclosed in square brackets [ ].
•
Literal values are not enclosed in brackets
See Value Editor on page 81 for more information on using the Value Editor. 5. After entering a value, select OK to close the dialog and return to the Properties and Values dialog. 6. Back on the Properties and Values dialog, you will see the details for your property/ value entry.
Active Directory Management Console
NetControl
81
7. Use the Add button to add additional property/value entries and repeat steps 1 through 5 for each of these entries. 8. Once you have defined all the properties and their values, select the OK button to close the dialog and return to the Rules Wizard.
Value Editor The Value Editor is launched whenever a value hyperlink is selected from the Properties and Values dialog. Using this dialog you can enter an explicit or literal value for the selected property.
Value Enter either an explicit or literal value for the selected property. Explicit values are enclosed in square brackets [ ]; whereas, values outside of the brackets are taken as literal values. Thus [object.first], [object.given] would result in a display match like: Smith, John.
Special Variables Object means the object that was being handled to invoke the rule. It can also be viewed as ‘me’. The ‘Parent’ object can also be used and chained to move up a tree. Parent is the container where the object that invoked the rule resides. For example, if a user’s OU path is as follows: OU=New York,OU=United States,OU=North America,DC=NetPro,DC=COM then: [Parent.Name] = New York [Parent.Parent.Name] = United States [Parent.Parent.Parent.Name] = North America Using the Parent object is a great way to populate the location and address information once on the OU, then have all objects in that container be set to the same values as the parent. See screen shot below.
Active Directory Management Console
82
NetControl
To map the address of a organizational unit to a user, the following would be set in the client UI: Organizational Unit Attributes
Attribute Description
User Attributes
[Parent.Street]
Street Address
streetAddress
[Parent.I]
City
I
[Parent.postalCode]
Zip Code
postalCode
[Parent.C]
Country Abbreviation (USA)
C
[Parent.co]
Country (United States)
co
[Parent.CountryCode]
Country Code (840)
CountryCode
NOTE: Line 1 where the Street attribute on an OU maps to streetAddress on a user.
Regular Expression Matching The following two conditions, on the second page of the Rules Wizard, use Regular Expression Matching: • Where property matches value • Where property does not match value For example, the regular expression below is used to specify the pattern that is expected for the phone number attribute: \(\d{3}\)\d{3}-\d{4} This string indicates that the condition is looking for a phone number in the following format: (xxx) xxx-xxxx. The screen shot below uses this regular expression in a rule which also indicates that if a phone number is found that does not match the specified format, the rule is to run a script to fix it.
Active Directory Management Console
NetControl
83
NOTE: For more information on Regular Expression Matching, please refer to Microsoft’s web site - http://msdn.microsoft.com/en-us/library/ms974570.
Using the Script Editor You can use the script editor to enter a VBScript which can be executed as part of the rule. The script editor is launched when you select the script hyperlink in the bottom pane of the third page of the Rules Wizard. NOTE: When using Windows Server 2008, the vbscript.dll and the msscript.ocx must be registered to use the scripting feature of ADMC/ADUC Extension. See Appendix C: Active Directory Users and Computers (ADUC) Extension on page 127 for more details.
Active Directory Management Console
84
NetControl
To use the Script Editor: 1. Select the run a script option from the third page in the Rules Wizard. 2. Select the script hyperlink in the bottom pane to launch the script editor. 3. Replace all of the information in the script editor windows with the contents of the script you want to execute. NOTE: We do NOT recommend that you cut and paste scripts from a Word document into the NetControl Script Editor. This is because special characters (e.g., quotation marks) do no convert cleanly during the cut and paste operation. 4. After entering your script, select OK to close the script editor and return to the Rules Wizard.
Rule Function Structure As displayed in the script editor window, the rule processing engine function structure is as follows: Function RuleFunction(sVerb, bPreCommit, sBindString, sObjectData, sCallerSID) End Function Where: sVerb This is the type of action being performed (i.e., modify, create or delete). bPreCommit A boolean value (True/False) indicating whether the rule is executing pre- or postcommit. By default, rules will be processed after the operations that invoked the rule, unless this rule is applied before the operation is committed option is selected. Thus the default value is false (meaning post-commit).
Active Directory Management Console
NetControl
85
sBingString This is the LDAP bind string to the server that is performing the operation. A sample bind string would be: LDAP://dcimprov.COMEDY.LOCAL/CN=Rod Simmons,OU=Phoenix,OU=NA,DC=NetPro,DC=LOCAL NOTE: Server Name is only passed when an object is created or modified. Deletions do not pass a server in the bind string. sObjectData This is the DataXML string about the object being modified. sCallerSID This represents the SID of the account that was managing the object.
Configuring Workflow for an ADMC Action Workflow is a NetControl feature and is available for actions performed via the ADMC. The NetControl workflow process allows administrators to set up certain actions that must adhere to a review/approve cycle before the action will be rolled out to the production environment. This section describes how to set up a workflow for an ADMC operation. For more information about the workflow approval process and roles, using the Workflow Editor, and the Workflow Pane from which you can view and manage the workflow queue, please refer to Chapter 10: Workflow on page 89. ADMC Actions Available in Workflow Editor The following ADMC actions are available as actions in the Workflow Editor: Action
To access Workflow Editor...
Modify property on object
Right-click a container under the Connections node in the explorer view of the ADMC and select the Rules and Workflow command. On the Configuration dialog, open the Workflow page and select the Add button to launch the Workflow Editor.
Create object
Right-click a container under the Connections node in the explorer view of the ADMC and select the Rules and Workflow command. On the Configuration dialog, open the Workflow page and select the Add button to launch the Workflow Editor.
Delete object
Right-click a container under the Connections node in the explorer view of the ADMC or an object in the Account list (right-hand pane) and select the Rules and Workflow command. On the Configuration dialog, open the Workflow page and select the Add button to launch the Workflow Editor.
Modify property
Right-click an object in the Accounts list (right-hand pane) of the ADMC and select the Rules and Workflow command. On the Configuration dialog, open the Workflow page and select the Add button to launch the Workflow Editor.
Active Directory Management Console
86
NetControl
To apply workflow to an ADMC action: 1. Log on to the NetControl console and select the Active Directory button in the navigation pane. 2. From the ADMC, right-click an container under the Connections node in the explorer view or an object from the right-hand pane and select the Rules and Workflow command to display the Configuration dialog. 3. Select the Workflow button to open the Workflow page. 4. On the Workflow page, select the Add button to open the Workflow Editor. 5. On the General page, enter a name and description for the workflow item. 6. In the Actions section of the General page, select the check boxes for the operation that must adhere to the workflow. The operations listed depend upon whether a container in the explorer view or an object in the Accounts list is selected. 7. On the Request page, set the following options: • select user or group accounts that can create a request • optionally select the accounts that are to be excluded from the workflow process • by default the request never expires - optionally, select lifetime properties for the request if it is not completed in a specified time frame • select commenting options 8. On the Review page, set the following options: • select the user and/or group accounts that can review the request • select parameters around the number of required reviewers and the minimum number of reviewers that must approve the request • select commenting options • select the action to be taken when a request is denied. You can send an email notification or close the request. • select email settings specifying who to notify about the status of the request review 9. On the Approve page, select the following options: • select the users and/or group accounts that can approve the request • select parameters around the number of required approvers and the minimum number of approvers that must approve the request • select commenting options • select the action to be taken when a request is denied. You can send an email notification or close the request. • select email settings specifying who to notify about the status of the request approval 10.On the Commit page, select the following options: • specify if you want to commit the request immediately or on a schedule • select if you want to send an email notification when the request is committed 11.Select OK to close the Workflow Editor and save the workflow item.
Active Directory Management Console
NetControl
87
Modifying Active Directory When Workflow is Applied Once workflow is defined, you can use either ADMC or ADUC to submit requests for modifying Active Directory objects. NOTE: Modifying multiple properties of an object in a single operation may trigger multiple workflow items. Microsoft submits changes on a property page basis; therefore, each page being modified will create a new workflow item. NOTE: User accounts created using workflow will not maintain the settings selected when creating the object (e.g., enable/disable setting, password settings, Exchange settings). Once the account is created, you will need to go back to set the password and status (enable user). NOTE: When you create an object through workflow, a message is displayed stating ‘Windows cannot create the object because: The specified directory object is not bound to a remote resource.” Select OK to submit the request. NOTE: When both workflow and rules are applied to the same object, workflow will be applied but the rule will not be triggered. 1. Using either the ADMC or ADUC, go through the typical procedure for creating, deleting and/or modifying an Active Directory object. 2. When prompted, enter a comment to accompany the modification being requested. NOTE: Even if the ‘Comments are not required’ option was selected on the Request page of the Workflow Editor, the Comment dialog will be displayed. Select the Cancel button on the dialog to proceed without adding a comment. 3. The following message is then displayed explaining that the request has been submitted. Select OK to close this dialog.
NOTE: When using the ADMC, actions that modify Active Directory objects that are performed using the right-click menu command (e.g., account disable, password reset) will display a Microsoft dialog indicating that the change has been made (e.g. account has been enabled/disabled) in addition to the workflow comment and request submitted message dialogs. The Microsoft dialog is misleading because the action has not been committed as indicated, but has been submitted to the workflow queue requiring it to be reviewed/ approved before it will be committed. 4. To verify that your request has been submitted, select the Workflow button in the NetControl navigation pane to open the Workflow pane. Your request should be listed under the To be reviewed or To be approved heading depending on the ‘Automatically review/approve the request’ settings set in the Workflow Editor when the workflow was created.
Active Directory Management Console
88
NetControl
5. From here you can right-click and select the Details menu command to review the request details. For more details on managing and tracking your workflow requests, please refer to ‘Managing Workflow Requests’ on page 104.
Active Directory Management Console
NetControl
89
Chapter 10: Workflow The NetControl workflow process allows administrators to set up certain actions that must adhere to a review/approval cycle before the action will be rolled out to the production environment. When you configure workflow in NetControl, you are selecting the actions that will go through a review/approval process. The actions that can use workflow are dependent on the NetPro application that you are using. An action that you set up for the approval process goes through the following stages: • A request is submitted by a user and the workflow is initiated. • A reviewer (or group of reviewers) views the request and can either approve or reject the request. If approved the request proceeds to the approval stage. • An approver (or group of approvers) decides that the action can proceed to the next stage. Again the request can either be approved or rejected. • After the action is approved it is committed and proceeds to fulfilment.
Email notifications can be configured for different stages in the workflow process. You can send emails to requesters/reviewers/approvers when a request is approved/rejected or committed.
Workflow
90
NetControl
When setting up a workflow in the Workflow Editor, there are three roles that can be set up: • Requester – A user that is a requester can submit actions for the approval process, review details about their request, and cancel their request if no longer required. • Reviewer – A reviewer can view the request, approve or deny the request, and review the details about the request. The reviewer role is optional. • Approver – An approver can view the request, approve or deny the request, and review the details about the request. The approver role is optional. The Workflow pane is available in the navigation pane when NetControl is installed. However, workflow must be configured for an object before any request information will be displayed. Any user that logs on to NetControl can view all items in the workflow queue. However, a user must be explicitly added as a requester, reviewer or approver to change the states of workflow items. This chapter provides the following information and procedures: •
Workflow Editor
•
Workflow Pane
•
Managing Workflow Requests
•
Reviewing and/or Approving Workflow Requests
•
Using Microsoft Outlook to View Workflow Items
Please refer to the documentation for each deployed NetPro application to determine if it can use the workflow feature and for more information on the actions that can be assigned to a workflow process.
Workflow Editor Using the Workflow Editor you will define who can request, review and approve the actions as well as select the options to be applied as the action progresses through the different stages of the workflow process. The Workflow Editor is launched when the Add button on the Workflow page of an object’s Permissions dialog or Configuration dialog is selected. The Workflow page, as mentioned above, is available either through the Permissions dialog or the Configuration dialog. Use one of the following methods to display the Workflow page, from which you can launch the Workflow Editor: • Depending on the deployed NetPro application, right-click the node then select Permissions to open the Permissions dialog (for the selected node). On the Permissions dialog, select the Workflow button - from here you can add, edit and remove workflow items. • From the ADMC, right-click a container under the Connections container in the explorer view (left-hand pane) or right-click an object in the account list (right-hand pane) and select the Rules and Workflow command to open the Configuration dialog. On the Configuration dialog, select the Workflow button - from here you can add, edit and remove workflow items.
Workflow
NetControl
91
The Workflow Editor consists of the following pages: • General – Provide a name, comment and action for the workflow item. • Request – Set the accounts that can request workflow items. You can also select accounts that are exempt from following the workflow. • Review – Select the accounts that will be required to review the request. • Approve – Select the accounts that will be required to approve the request before the workflow item will be committed. • Commit – Select when the workflow item will be rolled out in the environment.
General Page On the General page, provide a name and brief description for the workflow. Also, select the action(s) to which workflow is to be applied. The list of available actions is populated based on the node or object selected in the ADMC or other NetPro application pane. The screen shots illustrated here are of the Workflow Editor when it is launched by selecting a container in the ADMC explorer view.
Name Provide a descriptive name for the workflow. Comment Enter a brief description that will help you identify the workflow.
Workflow
92
NetControl
Actions Select (check) the check boxes for the actions that are to be enforced by the workflow. You can select as many actions for the workflow as you want. This list changes depending on the object or node selected in the ADMC or other NetPro product pane. If you want to specify a specific object and/or property, click the any object class and/or any property hyperlinks to specify the object class(es) and/or property to which the workflow is to be applied. When you select the any object class hyperlink, the Object Types dialog is displayed allowing you to select (check) one or more object types for the workflow. When you select the any property hyperlink, the Properties dialog will be displayed allowing you to select (check) one or more properties for workflow.
Request Page On the Request page, select the user or group accounts that must adhere to the defined workflow process when the selected action is being performed. That is, when a specified account attempts an action selected on the General page, that action is assigned to the workflow queue and must be reviewed/approved before it can be committed. For example, if Create User Object is selected for workflow, when the user tries to create a new user object through the ADMC, a message is displayed indicating that the action must be approved before the user object can be created. The Request page of the Workflow Editor contains two tabs to define the accounts that must follow the selected workflow: • Use the Accounts tab to define the accounts that must adhere to the defined workflow process when they attempt to perform the selected action. • Use the Exemptions tab to define the accounts to be excluded from the workflow request process. That is, when a user account or group is exempted, they can perform the action that is defined in the workflow without going through the review/approval process.
Workflow
NetControl
93
Accounts tab The list box on the Accounts tab contains the users and/or groups that must adhere to the defined workflow process. Exemptions tab The list box on the Exemptions tab contains the users and/or groups which are excluded from the workflow request process. Add Click the Add button to open the native Select Items dialog. Choose the accounts that you want to adhere to the workflow process (or from the Exemptions page, the accounts to be excluded from the process). Remove Once user or group accounts are added to either the accounts list or exemptions list, click the Remove button to remove it from the displayed list. Lifetime The Lifetime section of a workflow entry defines how long a request is to remain in the queue before an escalation action occurs. Requests never expire This option is selected by default and indicates that the request will never expire.
Workflow
94
NetControl
If the request is not completed in Select this option if you want the request to expire after a set period of time. Enter the length of time and the time frame (hours, days or weeks). The following options are activated when you select this option: • Close the request - Select this check box if you want the request closed after the specified period of time passes without an action on the request. • Send an email to - Select this check box if you want to set up an email recipient to notify a user that the request has expired without any action or that the request is not completed and needs attention. Enter the email address of the user(s) to receive the notification. NOTE: Before selecting an email option, ensure that there are valid Mail attributes configured in Active Directory for the accounts selected. If there is a valid Mail attribute value from Active Directory for the accounts selected then an email can be sent to those accounts. • Repeat every - Optionally, select this option if you want to send additional email reminders that a workflow request needs attention. Enter the length of time and the time frame (hours, days or weeks). Options You may want a requester to provide a comment on why they want to do the selected workflow action. Comments Select a commenting option from the drop-down menu. The commenting options are: • Comments are not required (default) • Requester must supply a comment
Workflow
NetControl
95
Review Page On the Review page, select the options for request reviews such as the user/group accounts that can review requests, how many reviewers are required and the action to be taken when a review is approved or denied.
Automatically review the request Select this check box to skip the review step and automatically place the workflow item in a ‘to be approved’ state. Reviewer list box This list box contains the user and/or group accounts that can review the selected workflow item. Add Select the Add button to open the native Select Users or Groups dialog. From this dialog, choose the user accounts or groups that will be responsible for reviewing the workflow requests. Remove If there are user names or groups in the list box that you no longer want as request reviewers, select the name then select the Remove button. Requests are handled by a single reviewer This option is selected by default and indicates that only one reviewer is required to the process workflow request.
Workflow
96
NetControl
Requests must be handled by reviewers Select this option if you want more than one reviewer to review the request. Enter the number of required reviewers. The default value is two reviewers. The following options are activated when you select this option: All reviewers must review the request Select this option if all reviewers must approve the request before the request proceeds to the next stage of the workflow. At least reviewer(s) must approve the request Select this option if only a certain number of reviewers need to approve the request before the request proceeds to the next stage of the workflow. For example, there may be five reviewers but only three of these reviewers must approve the request. Options Comments Providing comments is a good way to track the requests going through workflow and why they were approved or rejected. Select a commenting option from the drop-down menu. The commenting options are: • Comments are not required (default) • Comments are required on confirmation • Comments are required on rejection • Comments are required on confirmation and rejection Upon rejection Select one of the following options from the drop-down menu to specify what happens to the request when it is denied by the required reviewers: • Close the request (default) • Reassign the request back to the requester Email Settings Select one of the following options from the drop-down menu to specify if and when an email is to be sent: • Do not send email (default) • Send email when someone approves the request • Send email when someone rejects the request • Send email when someone approves or rejects the request NOTE: Before selecting an email option, ensure that there are valid Mail attributes configured in Active Directory for the accounts selected for requesters, reviewers and approvers. If there is a valid Mail attribute value from Active Directory for the accounts selected on those pages then an email can be sent to those accounts.
Workflow
NetControl
97
Send to The browse button is activated when you select one of the send email options. Click the browse button to open the Email Accounts dialog to select the workflow role(s) that are to be notified via email about the review status of a request. See ‘Email Accounts Dialog’ on page 100.
Approve Page On the Approve page, select the options for request approval such as the user/group accounts that can approve requests, how many approvers are required and the action to be taken when a reviewed request is approved or denied.
Automatically approve the request Select this check box when you want to approve the workflow request automatically. When selected, the workflow item proceeds to the commit stage after the request is reviewed. Approver List Box This list box displays the user and group accounts selected as approvers for the selected workflow item. Add Select the Add button to open the native Select Users or Groups dialog and select the users or groups that can approve a request. Remove If there are user names or groups in the list box that you no longer want as request approvers, select the name then click the Remove button.
Workflow
98
NetControl
Requests are handled by a single approver This option is selected by default and indicates that only one user has to approve a workflow request for it to proceed through the process. Requests must be handled by approvers Select this option if you want more than one account to approve the request. Enter the number of users that must approve the request. The default value is two approvers. The following options are activated when you select this option: All approvers must approve the request Select this option if you want all users to approve the request before the request proceeds to the next stage of the workflow. This option is selected by default. At least approver must approve the request Select this option if you want to set a certain number of users to approve the request before the request proceeds to the next stage of the workflow. For example, there may be five users and at least three must approve the request. Options Comments Select a commenting option from the drop-down menu. The following commenting options are available: • Comments are not required (default) • Comments are required on approved requests • Comments are required on denied requests • Comments are required on approved and denied requests Upon rejection Select one of the following options to specify what happens to the request if it is denied: • Close the request (default) • Reassign the request back to the reviewer Email Settings Select one of the following options from the drop-down menu to specify if and when an email is to be sent: • Do not send email (default) • Send email when someone approves the request • Send email when someone rejects the request • Send email when someone approves or rejects the request NOTE: Before selecting an email option, ensure that there are valid Mail attributes configured in Active Directory for the accounts selected for requesters, reviewers and approvers. If there is a valid Mail attribute value from Active Directory for the accounts selected on those pages then an email can be sent to those accounts.
Workflow
NetControl
99
Send to The browse button is activated when you select one of the send email options. Click the browse button to open the Email Accounts dialog to select the workflow role(s) that are to be notified about the approval status of a request. See ‘Email Accounts Dialog’ on page 100.
Commit Page On the Commit page, select when you want the request to be rolled out in the environment after the request is reviewed and approved.
Commit changes immediately This option is selected by default indicating that change is to be committed as soon as the request is reviewed and approved. The request will be rolled out with no further action required. Committed changes in NetControl will run every 15 minutes on the hour. You may have to wait a few minutes before a change is committed. Commit changes on the following schedule Select this option if you want to schedule when to commit the approved change. Click the browse button to display the Select a Schedule dialog to select the schedule. Schedules are created through the Resources pane in NetControl. For more information, see Chapter 7: Schedules on page 51.
Workflow
100
NetControl
Options Email Settings Select one of the following options from the drop-down menu to specify whether to send an email when the request is committed: • Do not send email (default) • Send email when the request is committed NOTE: Before selecting an email option, ensure that there are valid Mail attributes configured in Active Directory for the accounts selected for requesters, reviewers and approvers. If there is a valid Mail attribute value from Active Directory for the accounts selected on those pages then an email can be sent to those accounts. Send to The browse button is activated when you select the send email option. Click the browse button to open the Email Accounts dialog to select the workflow role(s) that are to be notified via email when a request is committed. See ‘Email Accounts Dialog’ on page 100.
Email Accounts Dialog The Email Accounts dialog is displayed when an email option is selected on the following pages of the Workflow Editor: Review, Approve and Commit. Use this dialog to select the workflow roles (requester, reviewers or approvers) to which an email is to be sent regarding the status of the selected workflow item. NOTE: For requesters, only the individual account that initiated the request will receive the email even if a group is specified on the Request page of the Workflow Editor. NOTE: When a group is specified, the group email will be used not individual emails for each member of the specified group.
Requester/Reviewers/Approvers Select the check boxes for the workflow roles that will receive an email notification. The check boxes are associated with the accounts selected on the Request, Review and Approve pages of the Workflow Editor. Other Enter the email account for any additional accounts that you want to send the email notification to. Entering an account here is optional.
Workflow
NetControl
101
Workflow Pane As a workflow proceeds through the stages, the Workflow pane displays the different states for the item, including: To be reviewed, To be approved, To be committed, Completed, Cancelled, and Request has been denied. A workflow item remains in the queue (unless a lifetime property is set) until the review and approve stages are approved/denied by the designated users. The Workflow pane is displayed when Workflow is selected in the navigation pane. From this pane you can review the status of your requests, cancel a request, review and approve/deny requests, and view details for a request. Any user that logs on to NetControl can view all items in the workflow queue. However, a user must be explicitly added in the Workflow Editor as a requester, reviewer or approver to change the states of workflow items.
Workflow
102
NetControl
Explorer view The explorer view displays the Workflow node. Workflow Items view The right-hand pane displays the workflow items in the workflow queue, including the following information: Summary This column displays a brief description of each workflow item. To change the state of a workflow task, right-click the summary and select the appropriate command: • Approve • Deny • Cancel • Details NOTE: One or more of these commands will be available depending on your workflow role(s) assigned and the current state of the workflow task. State This column displays the current state of each workflow item in the list. The states include: • Cancelled - when the requester cancels a request • Completed - when a request is committed • Closed - when the request is not completed in the specified time frame and the Close the request option was selected on the Request or Approve page when the rule was defined • To be reviewed - when the request is waiting to be reviewed • To be approved - when the request is waiting to be approved • To be committed - when the request has been approved, but is waiting to be committed • Request has been denied - when the request was denied during either the review or approve stage and the option to reassign the request back to the requester/reviewer was selected when the rule was defined Submitted By This column displays the name of the account that submitted the request. Submitted On This column displays the date and time each request was submitted.
Workflow
NetControl
103
Sorting and Filtering Content The workflow tasks listed on the Workflow pane cannot be removed; however, you can use the following commands to sort the content and or filter the content to define the workflow items to be displayed. Right-click the pane (not a workflow entry in the list) to display the following commands which allow you to change the contents displayed: View Expand the View command and select one of the following options to change how the items in the workflow pane are displayed: •
Tiles
•
Icons
•
List
•
Details (default)
Filter Expand the Filter command and select one of the following options to define exactly what to display in the workflow pane: •
My requests
•
My work items
•
All Items (default)
Sort By Expand the Sort By command and select one of the following options to resort the content displayed: •
Summary (default)
•
State
•
Submitted by
•
Submitted on
Arrange By Expand the Arrange By command and select one of the following options to group the workflow items differently: •
Summary
•
State (default)
•
Submitted by
•
Submitted on
•
none
Refresh Use the Refresh button to redisplay the latest status of the items in Workflow pane. NOTE: Whenever the state of a workflow item is changed, you must select the Refresh button to display the new status.
Workflow
104
NetControl
Managing Workflow Requests Certain actions in your NetPro application may be required to go through an approval process. Therefore, your administrator may have assigned you as a requester. For example, administrators might want actions made through the ADMC (e.g., when a user creates a new object) to adhere to a specific workflow process. A user can go through all the steps to create an object and when finished a dialog is displayed indicating that the action must go through the workflow process. To review the status of your requests in the workflow queue: 1. Log on to the NetControl console. 2. Click the Workflow button in the navigation pane to display the Workflow node in the explorer view. All submitted requests are displayed in the right pane including your requests. To view only your requests, right-click somewhere on the right-hand pane (not a workflow item in the list) and select the Filter | My Requests command. 3. Right-click a submitted request, then select Details to open the Request Details dialog that provides information about the request such as the date submitted and the date approved. NOTE: As a requester you cannot review or approve your own requests, therefore, only the Cancel and Details right-click commands will be available. 4. After you finish reviewing the information, click Close to close the Request Details dialog. 5. If the request is still in progress and you decide you no longer need the workflow item, right-click the request then select Cancel. 6. Select F5 or the Refresh tool bar button or right-click command to see that the workflow item is now displayed in the Cancelled column. NOTE: Only the original requester can cancel their own requests. Depending on the NetPro application, after a workflow item is committed, you can go to the application component to see the item in the console. If configured during the workflow setup, an email notification can be sent indicating that the request is complete. For example, if you are using NetPro’s AccessManager, and the workflow action is Create Managed Objects, then after the workflow is committed, go to the Managed Object node in the explorer view to see the managed object that was created.
Workflow
NetControl
105
Request Details Dialog The Request Details dialog when the Details right-click command is selected for a workflow item in the Workflow pane. This dialog provides details about the workflow process as it progresses through the different workflow stages.
The following information is displayed at the top of the Request Details dialog: Summary This field displays a brief description of the selected workflow item. Submitted By This field displays the name of the account that submitted the request. Submitted On This field displays the date and time when the request was initially submitted. In addition to the request submission information, the table at the bottom of the dialog, displays the following information as the item progresses through the different workflow stages: Occurred On This column displays the date and time when the status changed for the selected workflow item. Action This column displays the action or status change that was made. Comment This column displays the comment that was entered when the request was reviewed and/ or approved. Account This column displays the name of the account that performed the action listed.
Workflow
106
NetControl
Reviewing and/or Approving Workflow Requests If you are assigned as a reviewer or approver, you can use the Workflow pane to review the workflow queue. You can be assigned as both reviewer and approver for the same workflow. However, you cannot review your own requests if you are also assigned as a requester. To review and approve workflow items in the workflow queue: 1. Log on to the NetControl console. 2. Click the Workflow button in the navigation pane to display the Workflow node in the explorer view and the workflow items in the right pane. All submitted requests are displayed in the details view. To view the workflow items awaiting your response (review and/or approval), right-click somewhere on the righthand pane (not a workflow item in the list) and select the Filter | My Work Items command. 3. Right-click an item that needs to be reviewed or approved then select Approve or Deny. 4. After a request is approved, the workflow item proceeds to the next stage in the workflow process. Select F5 or the Refresh tool bar button or right-click command to display the updated status for the workflow item. If configured during the workflow setup, an email notification can be sent indicating that the request has been reviewed and approved/rejected. Depending on the configuration of the workflow, an expiration date may be set on the submitted request. When the request is not acted on in the selected time frame, the request will either be closed or an email sent to a designated user to indicate that the request requires attention. See ‘Request Page’ on page 92 for more information on the lifetime characteristics of a request.
Workflow
NetControl
107
Using Microsoft Outlook to View Workflow Items If you deployed the package to use Microsoft Outlook (NetPro NetControl Outlook Extension.msi), you can review all the workflow items in Outlook. All options that are available in the Workflow pane on the NetControl console are also available in Outlook. For example, you can review, approve and cancel workflow items through Outlook.
Troubleshooting Tip If you do not see the NetControl node in the left-hand pane, even after you have selected the Folder List icon, ensure that the NetControl console is loaded on the machine where the Outlook extension is installed. To review workflow items in Outlook: 1. Log on to Microsoft Outlook. 2. Select the NetControl node in the left-hand pane to display the NetPro NetControl Connection dialog.
If the NetControl node is not displayed, select the Folder List icon at the bottom of the navigation pane.
Workflow
108
NetControl
3. On the NetPro NetControl Connection dialog, use the drop-down menu to select the server where the NetControl service resides and select Connect. You are connected to NetControl during the Outlook session. When you log out of Outlook and then log on again, you must select and connect to NetControl again. 4. After you log on to NetControl, the workflow items are displayed. Right-click the items to review, approve, deny and/or cancel requests. NOTE: Whenever the state of a workflow item is changed, you must select F5 or the Refresh button on the Outlook tool bar to display the new status.
Workflow
NetControl
109
Chapter 11: Reports Using the Reports pane of the NetControl console, you can run reports for the NetControl console components: Agents, Agent Groups, Computer Lists and Schedules. Depending on the NetPro applications deployed, there may be reports displayed in the Reports pane for that application. Refer to the documentation for the NetPro application. This chapter provides the following information and procedure: •
Reports Pane
•
Generating NetControl Reports
Reports
110
NetControl
Reports Pane The Reports pane is displayed when Reports is selected in the navigation pane. From this pane you can run reports based on NetControl components.
The Reports pane is divided into three views: Explorer View The explorer view displays the types of reports available. All of the reports are listed under the following containers:
Reports
•
NetControl Reports – these reports provide details regarding the shared components created and managed through the NetControl console.
•
Depending on the deployed NetPro application there may be additional reports displayed in the explorer view. Refer to the documentation for each individual application for more information.
NetControl
111
Object List The object list displays a list of reports generated based on the container selected in the explorer view. The following information is displayed in this window: •
Name – the name assigned to the report when it was created.
•
Comment – any comments that were entered when the report was created.
•
Schedule – the schedule assigned to the selected report.
Details View When a report is selected in the object list, the lower portion of this pane displays information about when the selected report was executed. •
Run Date – the date(s) when the report was executed.
•
Elapsed Time – the amount of time it took to generate the selected report
•
Status – the current status of the report
Once a report is generated and its status is ‘Completed’ in the Details View, either double-click or right-click the report entry and select the View command to display the results of the report.
Generating NetControl Reports NetControl Reports provide details regarding the shared components created and managed through the NetControl console. Using the Reports pane, the following NetControl reports can be generated: • Agents – provides a list of agents, their status and associated agent groups. Selecting the name of an agent will display a list of agent groups to which the agent belongs and the notification frequency for the selected agent. • Agent Groups – provides a list of agent groups and agents that reside in the agent group and the configured update notification interval. Selecting the name of an agent group will display a list of the agents that belong to the selected agent group, as well as the configured update notification interval and status of each agent in the agent group. • Computer Lists – provides the settings defined in a computer list. Selecting the name of a computer list will display a list of the jobs that are linked to the selected computer list. • Schedules – provides a report that shows schedule configurations. Selecting a schedule entry will display a list of the jobs that are linked to the selected schedule.
Reports
112
NetControl
To generate NetControl Reports: 1. Select Reports from the navigation pane to open the Reports pane. 2. Expand the NetControl Reports container in the explorer view and select the type of report to run: • Agents • Agent Groups • Computer Lists • Schedules 3. Select the Run tool bar button or right-click menu command. This will display the appropriate Report dialog allowing you to define the contents of the report, configure the report output, specify the data source and schedule the execution of the report. 4. On the General page, enter a descriptive name and optionally enter a comment regarding the report to be executed. 5. Open the “second” page to select the NetControl component to be reported on. (The second page in the dialog, will change based on the type of report selected in the explorer view. For example, when Agents is selected, an Agents page will be displayed, when Schedules is selected, a Schedules page will be displayed, etc.) 6. On the Advanced page link the report to a schedule. 7. On the Agent Groups page select the agent group that contains the server(s) to be used to execute the report. 8. After entering the requested information, use the OK button to close the dialog and run (or schedule) the report. 9. Once the report has been generated (there is a “Completed” status in the Details View), double-click the report entry in the Details View (or right-click and select the View menu command) to display the results of the report.
Reports
NetControl
113
Agents Report Dialog The Agents Report dialog is displayed when the Run tool bar button or right-click menu command is used when Agents is selected in the NetControl container in the explorer view of the Reports pane. This dialog consists of four tabbed pages: • General – use this page to specify general information about the report. • Agents – use this page to select the agent(s) to be included in the report. • Advanced – use this page to define the schedule for executing the selected report. • Agent Groups – use this page to select the agent group(s) that are to generate the report.
General Page From the General page, specify general information about the report to be executed.
Name Enter a descriptive name for the report. Comment Optionally, enter a description or comment for the report.
Reports
114
NetControl
Agents Page Use the Agents page to specify the agent(s) to be included in the selected report.
Select one of the following: • Report on all agents (default) • Report on the following agents When the last option is selected, the list box and the Add button are enabled allowing you to select the agent(s) to include in the report. Agents List Box This list box displays the agents to be included in the new report. Use the Add and Remove buttons to add/remove agents to/from this list box. Add Use the Add button to add agents to the list box. Selecting this button will display the Select an Agent dialog allowing you to select the agent(s) to include in the report. Remove After agents have been added to the list box, use the Remove button to remove an agent from the list box. Select the entry to be removed and select the Remove button.
Reports
NetControl
115
Advanced Page Use the Advanced page to define the schedule to use to run the report.
Scheduling Select one of the following to define when to run the report: •
Run the report now (default)
•
Run the report on the following schedule
When the last option is selected, use the browse button to select a schedule. Selecting the browse button will display the Select a Schedule dialog allowing you to select a previously defined schedule or create a new schedule.
Agent Groups Page Use the Agent Groups page to select the agent group to be associated with the report. That is, select the agent group that contains the server(s) to be used to run the report. NOTE: You MUST select an agent group otherwise the report will not run.
Reports
116
NetControl
Agent Groups List Box This list box displays the agent group(s) associated with the new report. Use the Add and Remove buttons to add/remove an agent group to/from the list box. Add Use the Add button to add agent groups to the list box. Selecting this button will display the Select an Agent Group dialog allowing you to select the agent group(s) to be used. Remove After agent groups have been added and are displayed in the Agent Groups list box, use the Remove button to remove an agent group from the list box. Select the agent group to be removed and select the Remove button.
Agent Groups Report Dialog The Agent Groups Report dialog is displayed when the Run tool bar button or right-click menu command is used when Agent Groups is selected in the NetControl container in the explorer view of the Reports pane. This dialog consists of four tabbed pages: • General – use this page to specify general information about the report. • Agent Group Objects – use this page to select the agent group(s) to be included in the report. • Advanced – use this page to define the schedule for executing the selected report. • Agent Groups – use this page to select the agent group(s) that are to generate the report. See ‘Agents Report Dialog’ on page 113 for a description of the General, Advanced and Agent Groups pages. All of these pages are the same for all NetControl reports.
Agent Group Objects Page Use the Agent Group Objects page to specify the agent group(s) to include in the selected report.
Reports
NetControl
117
Select one of the following: • Report on all agent groups (default) • Report on the following agent groups When the last option is selected, the list box and the Add button are enabled allowing you to select the agent group(s) to include in the report. Agent Groups List Box This list box displays the agent groups to be included in the new report. Use the Add and Remove buttons to add/remove agent groups to/from this list box. Add Use the Add button to add agent groups to the list box. Selecting this button will display the Select an Agent Group dialog allowing you to select the agent group(s) to include. See ‘Select an Agent Group Dialog’ on page 27 for a description of the dialog. Remove After agent groups have been added to the list box, use the Remove button to remove an agent group from the list box. Select the entry to be removed and select the Remove button.
Computer Lists Report Dialog The Computer Lists Report dialog is displayed when the Run tool bar button or right-click menu command is used when Computer Lists is selected in the NetControl container in the explorer view of the Reports pane. This dialog consists of four tabbed pages: • General – use this page to specify general information about the report. • Computer Lists – use this page to select the computer list(s) to be included in the report. • Advanced – use this page to define the schedule for executing the selected report. • Agent Groups – use this page to select the agent group(s) that are to generate the report. See ‘Agents Report Dialog’ on page 113 for a description of the General, Advanced and Agent Groups pages. All of these pages are the same for all NetControl reports.
Reports
118
NetControl
Computer Lists Page Use the Computer Lists page to specify the computer list(s) to include in the selected report.
Select one of the following: • Report on all computer lists (default) • Report on the following computer lists When the last option is selected, the list box and the Add button are enabled allowing you to select the computer list(s) to include. Computer Lists List Box This list box displays the computer lists to be included in the new report. Use the Add and Remove buttons to add/remove computer lists to/from this list box. Add Use the Add button to add computer lists to the list box. Selecting this button will display the Select a Computer List dialog allowing you to select the computer list(s) to include. Remove After computer lists have been added to the list box, use the Remove button to remove a computer list from the list box. Select the entry to be removed and select the Remove button.
Reports
NetControl
119
Schedules Report Dialog The Schedules Report dialog is displayed when the Run tool bar button or right-click menu command is used when Schedules is selected in the NetControl container in the explorer view of the Reports pane. This dialog consists of four tabbed pages: • General – use this page to specify general information about the report. • Schedules – use this page to select the schedule(s) to be included in the report. • Advanced – use this page to define the schedule for executing the selected report. • Agent Groups – use this page to select the agent group(s) that are to generate the report. See ‘Agents Report Dialog’ on page 113 for a description of the General, Advanced and Agent Groups pages. All of these pages are the same for all NetControl reports.
Schedules Page Use the Schedules page to specify the schedule(s) to include in the selected report.
Select one of the following: • Report on all schedules (default) • Report on the following schedules When the last option is selected, the list box and the Add button are enabled allowing you to select the schedule(s) to include in the report. Schedules List Box This list box displays the schedules to be included in the new report. Use the Add and Remove buttons to add/remove schedules to/from this list box. Add Use the Add button to add schedules to the list box. Selecting this button will display the Select a Schedule dialog allowing you to select the schedule(s) to include. Remove After schedules have been added to the list box, use the Remove button to remove a schedule from the list box. Select the entry to be removed and select the Remove button.
Reports
NetControl
121
Appendix A: NetPro Applications Using NetControl Components This appendix provides a table that shows the NetPro applications that use the NetControl platform and its shared components. Please refer to the documentation for each individual application for more information on using the Configuration, Collectors, Reports and Workflow components. NetControl Components Configuration
Resources*
AccessManager
3
3
AccessReporter
3
3
ADMC
3
3
Business Insight
3
GPOADmin
Collectors
3
Reports
Workflow
3
3
3 3 3
3
3
LogADmin
3
3
3
NetControl for Exchange Message Analysis
3
3
3
3
ReportADmin for ACS
* Note that the Resources component includes agents, agent groups, computer lists, and schedules.
NetPro Applications Using NetControl Components
NetControl
123
Appendix B: Email Setup You can set up email notification for the following workflow items: • requests that need attention • during the review stage when a request is approved or rejected • during the approval stage when a request is approved or rejected • during the commit stage when the workflow item is finally complete In addition, you can send an email as part of a provisioning rule for actions performed through the ADMC. Using the NetControl Configuration page, you can set up the email account and SMTP server from which these email notifications are sent. This appendix provides the following information and procedure: •
Configuration Page - NetControl Email Pane
•
Setting up Email
Email Setup
124
NetControl
Configuration Page - NetControl Email Pane The NetControl Email pane is displayed when Configuration is selected in the navigation pane and the NetControl node is selected in the explorer view. From this pane you can define an SMTP server for email notifications.
Email address Enter an email address in the box. This is the address that email notifications will be sent from. Display Name Enter the display name for the email account. SMTP Server Provide the name of the SMTP server to be used for email notifications. Test After entering the email settings, use the Test button to send a test email to ensure the email settings are working properly. Save After entering the email settings, use the Save button to save your settings.
Email Setup
NetControl
125
Setting up Email To set up email notification: 1. Log on to the NetControl console. 2. Select the Configuration button in the navigation pane and then select NetControl in the explorer view. 3. On the NetControl Email pane, enter an email address and display name in the Email Address and Display Name fields. 4. Enter the name of the SMTP server to be used for email notifications. 5. After entering the email address, display name and SMTP server to be used, use the Test button to send a test email to ensure the settings are working properly. 6. After testing the email settings, use the Save button to save the email settings.
Email Setup
NetControl
127
Appendix C: Active Directory Users and Computers (ADUC) Extension This appendix provides additional information regarding the Active Directory Users and Computers (ADUC) extension that is activated when NetControl is installed. Using this extension you can enforce workflow approval processes and automate common Active Directory tasks through the use of rules. Please remember that even though modifications made through ADUC will trigger defined workflow or rules, you can only define workflow and rules for an object using NetControl’s Active Directory Management Console (ADMC).
Usage Notes Windows Server 2008 • 32-bit: runs as expected (e.g., %windir%\System32\dsa.msc) • 64-bit: use WOW64 (e.g., %windir%\SysWOW64\dsa.msc) Exchange Do NOT install the NetControl Console/ADUC Extension on machines running Exchange tools. Third-Party ADUC Extensions Third-party ADUC extensions are not supported and will not trigger workflow or rules.
Active Directory Users and Computers (ADUC) Extension
128
NetControl
Using the ADUC Extension Using the ADUC extension to modify Active Directory objects allows you to take advantage of the workflow and rules feature of NetControl. 1. Launch ADUC. 2. This will display the NetPro NetControl Connections dialog. On this dialog, use the dropdown menu to select the NetControl server to be used and select Connect. Warning If you select Cancel on the NetPro NetControl Connection dialog instead of connecting to the NetControl Console, ADUC will launch in a readonly mode and you will not be able to modify Active Directory objects. 3. Go through the typical procedure for creating, deleting and/or modifying an Active Directory object. 4. If workflow has been applied to an object, you will be prompted to enter a comment to accompany the modification being requested. You will then see a message indicating the request has been submitted. Select OK to close this dialog.
Removing the ADUC Extension Removing the ADUC Extension from 32-bit Computers: 1. From a run command, enter: regsvr32 -u "C:\Program Files\Netpro\NetControl\adhook.dll" Removing the ADUC Extension from 64-bit Computers: 1. From a run command, enter: regsvr32 -u "C:\Program Files (86)\Netpro\NetControl\adhook.dll"
Re-installing the ADUC Extension Re-installing the ADUC Extension to 32-bit Computers: 1. From a run command, enter: regsvr32 "C:\Program Files\Netpro\NetControl\adhook.dll" Re-installng the ADUC Extension to 64-bit Computers: 1. From a run command, enter: regsvr32 "C:\Program Files (86)\Netpro\NetControl\adhook.dll"
Active Directory Users and Computers (ADUC) Extension
NetControl
129
Appendix D: NetControl Troubleshooting This appendix covers some of the known issues with NetControl and provides some troubleshooting tips. In addition, for more information and troubleshooting tips on the ADMC, please go to: http://www.turbochargedad.com.
NetControl Console The following troubleshooting tips relate to issues with the NetControl Console.
NetControl Console Opens and Closes or Opens without any Nodes Verify that the Console feature is installed. Verify Console Feature is Installed: 1. Run the NetPro NetControl Plugin.msi on the server where the NetControl service is installed. This msi file is located in the Updates folder of the Install path of the NetControl service. 2. On the Program Maintenance screen, select the Modify option.
NetControl Troubleshooting
130
NetControl
3. On the Custom Setup screen, verify that the Console is installed. If it is not installed, you will see a red X to the left of the Console feature. To install the Console feature, select the ‘This feature will be installed on local hard drive’ option from the Console drop-down menu.
Enterprise Server Console Connecting to NetControl Server - Not Supported If an Enterprise Server Console connects to a NetControl Server Service, the console will get partially upgraded. After it is upgraded, the console will prevent the user from connecting to an Enterprise Server Service. To correct this issue, you must uninstall the Enterprise Server Console from the computer with the partial upgrade and then reinstall the Enterprise Server version of the Console.
NetControl Troubleshooting
NetControl
131
ADMC Functionality The following troubleshooting tips relate to the Active Directory Management Console (ADMC), which is installed with NetControl.
Rule Scripts Failed to Run on Windows 2008 The vbscript.dll and msscript.ocx need to be registered in order to use rule scripts in Windows Server 2008. Once registered, if rules scripting still is not working, verify the registry key does not contain quotes. Register the following on 32-bit Computers: 1. From a run command, enter: regsvr32 %Windir%\System32\vbscript.dll regsvr32 %Windir%\System32\msscript.ocx Register the following on 64-bit Computers: 1. From a run command, enter: regsvr32 %Windir%\System32\vbscript.dll regsvr32 %Windir%\SysWOW64\msscript.ocx Verifying Registry Key: 1. Verify that the default value does not contain quotes in the following registry key: [HKEY_CLASSES_ROOT\TypeLib\{0E59F1D2-1FBE-11D0-8FF200A0D10038BC}\1.0\0\win32]
NetControl Troubleshooting
NetControl
133
Index A Account List 66 Action menu command 10 Active Directory Management Console (ADMC) 63 Configuring workflow 85 Creating Custom Views 67 Creating Rules 73 Establishing a Connection 71 Pane 64 Rules Wizard 74 Troubleshooting 129 ADUC Extension 127 Advanced Page Agent Groups Report Dialog 115 Agents Report Dialog 115 Computer Lists Report Dialog 115 Properties Dialog 70 Schedules Report Dialog 115 Agent Group Objects Page Agent Groups Report Dialog 116 Agent Groups Adding/removing agents 37 Associating with a collector 61 Creating an empty agent group 36 Creating with agents 36 Description 33 New Agent Group Dialog 37 Pane 34 Report dialog 116 Agent Groups Page Agent Groups Report Dialog 115 Agents Report Dialog 115 Computer Lists Report Dialog 115 New Agent Deployment Dialog 27 New Collector Dialog 61 Schedules Report Dialog 115
Agents Deploying 24 New Agent Deployment Dialog 25 Pane 22 Agents Page Agents Report Dialog 114 New Agent Group Dialog 38 Agents Report Dialog 113 Application Components NetControl 7 Application Security 15 Applying workflow to an ADMC action 86 Approve Page 97 Arrange By commands 23, 35, 43, 53, 103 Automatically approve workflow request 97 Automatically review workflow requests 95
B Building Dynamic Computer List Based on a Script 45 Bases on LDAP Query 44 Building Explicit Computer List 44
C Collectors Defining 59 New Collector Dialog 59 Pane
58 Commit Page 99 Computer Lists Building explicit list 44 Building list based on LDAP query 44 Building list based on script 45 Description 41 New Computer List Dialog 46 Pane 42
Index
134
Computer Lists Page Computer Lists Report Dialog 118 Computer Lists Report Dialog 117 Computers Page New Computer List Dialog 47 Configuration Page 124 Connecting to console 8 Connection Dialog ADMC Pane 72 NetControl Console 8 Connections 65 Establishing AD Connection Point 71 Contents Page Properties Dialog 69 Creating Computer Lists 44 Custom Views 67 Provisioning Rules 73 Rules 73 Custom Views 65 Creating 67
D Defining Collectors 59 Schedules 54 Delete Command 12, 23, 34, 43, 52, 65 Tool bar button 11 Deploying Agents 24 Considerations 24 Details Page New Schedule Dialog 55 Details View Agent Groups Pane 35 Agents Pane 23 Collectors Pane 58 Computer Lists Pane 43 Reports Pane 111 Schedules Pane 53
E Email Accounts Dialog 100 Email Pane 124 Email Settings Workflow Editor Approve Page 98 Workflow Editor Commit Page 100 Workflow Editor Review Page 96 Email setup 125 Enabled Command 53 Exit command 10 Expiring permissions 19 Explicit Computer List 48
Index
NetControl
Explorer View 12 ADMC Pane 65 Agent Groups Pane 34 Agents Pane 22 Computer Lists Pane 42 Reports Pane 110 Schedules Pane 52 Select a Computer List Dialog 28 Select an Agent Dialog 39 Select an Agent Group Dialog 30 Workflow Pane 102
F Filter command 103 Filtering Workflow Items 103
G General Page 113 Agent Groups Report Dialog 113 Agent Report Dialog 113 Computer Lists Report Dialog 113 New Agent Group Dialog 37 New Collector Dialog 60 New Computer List Dialog 47 New Schedule Dialog 55 Properties Dialog 68 Workflow Editor 91 Generating reports 109 Go menu commands 10
H Help Menu commands 11 Tool bar button 11
I Implementing Application Security 15
L LDAP Query New Computer List Dialog 48 Lifetime settings 93
M Managing workflow requests 104 Menu bar 10 Microsoft Outlook Extension 107 Modifying Active Directory when workflow is applied 87 Move to command 22, 34, 42, 52
N Navigation Pane 13 NetControl Agents 21 Application Security 15 Computer Lists 41
NetControl
Connecting to console 8 Console components 8 Email Pane 124 Explorer View 12 Information Panes 14 Menu bar commands 10 Navigation Pane 13 Reports 111 Resources 7 Schedules 51 System overview 1 Tool bar buttons 11 Troubleshooting Tips 129 NetPro Applications using NetControl 121 Customer Portal 4 Professional Services 5 Technical Support 5 NetPro NetControl Connection dialog 8 NetPro NetControl Outlook Extension.msi 107 New Command 12, 23, 35, 43, 53, 66 Tool bar button 11 New Agent Deployment Dialog 25 New Agent Group Dialog 37 New Collector Dialog 59 New Computer List Dialog 46 New Connection command 65 New Custom View command 65 New Permission Entry Dialog 18 New Schedule Dialog 54
O Object List ADMC Pane 66 Agent Groups Pane 34 Agents Pane 22 Computer Lists Pane 42 Reports Pane 111 Schedules Pane 52 Select a Computer List Dialog 29 Select an Agent Dialog 40 Select an Agent Group Dialog 31 Workflow Pane 102
P Parent object 81 Permissions Command 13, 23, 35, 43, 53, 65 Dialog 17 Tool bar button 11 Properties Command 23, 35, 43, 53, 65 Dialog 68 Tool bar button 11
135
Properties and Values Dialog 80 Provisioning Rules 73
R Refresh Command 10, 13, 24, 36, 44, 54, 65 Tool bar button 11 Refresh command 103 Regular Expression Matching 82 Remove command 66 Rename command 13, 66 Reports NetControl 111 Pane 110 Request Details Dialog 105 Request Page 92 Resources Agent Groups 33 Agents 21 Computer Lists 44 Schedules 54 Resources Pane Agent Groups Pane 34 Agents Pane 22 Computer Lists Pane 42 Schedules Pane 52 Restart Agent Tool bar button 12 Review Page 95 Review workflow items in Outlook 107 Rule Function Structure 84 Rule Wizard 74 Rules 73 Rules and Workflow command 66 Run command 12
S Schedule Page New Collector Dialog 60 Schedules 51 Defining 54 Description 51 Disabling 56 Linking to a collector 60 New Schedule Dialog 54 Pane 52 Schedules Page Schedules Report Dialog 119 Schedules Report Dialog 113, 119 Script Editor 83 Rule Function Structure 84 Script-based Computer List 49 Select a Computer List Dialog 28 Select an Agent Dialog 39 Select an Agent Group Dialog 29
Index
136
Servers Page New Agent Deployment Dialog 25 Setting up email 125 Sort By command 103 Sorting Workflow Items 103 Start Agent Tool bar button 12 Stop Agent Tool bar button 12
T Technical Support 5 Temporary permission assignments 19 Tool bar buttons 11 Troubleshooting Tips 129 Turbo Charged website 4
U Update Notification interval 38 Using Scripts New Computer List Dialog 45, 49 Rules Script Editor 83
V Value Editor 81 Parent object 81 VBScript Building Dynamic Computer List 45 New Computer List Dialog 49 Rule Script Editor 83 View Commands 23, 35, 43, 53, 103 Menu commands 10
W Windows 2008 Running scripts 131 Workflow 89 Automatically approve request 97 Automatically review request 95 Pane 101 Process 89 Reviewing items in Outlook 107 Roles 90 States 102 Workflow Editor 90 ADMC Actions 85 Approve Page 97 Commit Page 99 General Page 91 Lifetime settings 93 Request Page 92 Review Page 95
Index
NetControl
Workflow Pane Filtering Content 103 Managing requests 104 Reviewing and approving workflow item 106 Reviewing request status 104 Sorting Content 103 States 102