Zenoss Setup for Windows Servers
Posted
by Jay Fox
on Geeks with Blogs
See other posts from Geeks with Blogs
or by Jay Fox
Published on Thu, 20 Sep 2012 09:15:57 GMT
Indexed on
2012/09/21
15:39 UTC
Read the original article
Hit count: 276
Filed under:
Recently I was saddled with standing up Zenoss for our enterprise. We're running about 1200 servers, so manually touching each box was not an option. We use LANDesk for a lot of automated installs and patching - more about that later.
The steps below may not necessarily have to be completed in this order - it's just the way I did it.
STEP ONE:
Setup a standard AD user. We want to do this so there's minimal security exposure. Call the account what ever you want "domain/zenoss" for our examples.
***********************************************************
STEP TWO:
Make the following local groups accessible by your zenoss account.
Distributed COM Users
Performance Monitor Users
Event Log Readers (which doesn't exist on pre-2008 machines)
Here's the Powershell script I used to setup access to these local groups:
# Created to add Active Directory account to local groups
# Must be run from elevated prompt, with permissions on the remote machine(s).
# Create txt file should contain the names of the machines that need the account added, one per line.
# Script will process machines line by line.
foreach($i in (gc c:\tmp\computers.txt)){
# Add the user to the first group
$objUser=[ADSI]("WinNT://domain/zenoss")
$objGroup=[ADSI]("WinNT://$i/Distributed COM Users")
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
# Add the user to the second group
$objUser=[ADSI]("WinNT://domain/zenoss")
$objGroup=[ADSI]("WinNT://$i/Performance Monitor Users")
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
# Add the user to the third group - Group doesn't exist on < Server 2008
#$objUser=[ADSI]("WinNT://domain/zenoss")
#$objGroup=[ADSI]("WinNT://$i/Event Log Readers")
#$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
}
**********************************************************
STEP THREE:
Setup security on the machines namespace so our domain/zenoss account can access it
The default namespace for zenoss is: root/cimv2
Here's the Powershell script:
#Grant account defined below (line 11) access to WMI Namespace
#Has to be run as account with permissions on remote machine
function get-sid
{
Param (
$DSIdentity
)
$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}
$sid = get-sid "domain\zenoss"
$SDDL = "A;;CCWP;;;$sid"
$DCOMSDDL = "A;;CCDCRP;;;$sid"
$computers = Get-Content "c:\tmp\computers.txt"
foreach ($strcomputer in $computers)
{
$Reg = [WMIClass]"\\$strcomputer\root\default:StdRegProv"
$DCOM = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
$security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
$binarySD = @($null)
$result = $security.PsBase.InvokeMethod("GetSD",$binarySD)
$outsddl = $converter.BinarySDToSDDL($binarySD[0])
$outDCOMSDDL = $converter.BinarySDToSDDL($DCOM)
$newSDDL = $outsddl.SDDL += "(" + $SDDL + ")"
$newDCOMSDDL = $outDCOMSDDL.SDDL += "(" + $DCOMSDDL + ")"
$WMIbinarySD = $converter.SDDLToBinarySD($newSDDL)
$WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
$DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL)
$DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD
$result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions)
$result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD)
}
***********************************************************
STEP FOUR:
Get the SID for our zenoss account.
Powershell
#Provide AD User get SID
$objUser = New-Object System.Security.Principal.NTAccount("domain", "zenoss")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
******************************************************************
STEP FIVE:
Modify the Service Control Manager to allow access to the zenoss AD account.
This command can be run from an elevated command line, or through Powershell
sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)
(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
(A;;CCLCRPRC;;;PUT_YOUR_SID_HERE_FROM STEP_FOUR)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
******************************************************************
In step two the script plows through a txt file that processes each computer listed on each line. For the other scripts I ran them on each machine using LANDesk. You can probably edit those scripts to process a text file as well.
That's what got me off the ground monitoring the machines using Zenoss. Hopefully this is helpful for you. Watch the line breaks when copy the scripts.
The steps below may not necessarily have to be completed in this order - it's just the way I did it.
STEP ONE:
Setup a standard AD user. We want to do this so there's minimal security exposure. Call the account what ever you want "domain/zenoss" for our examples.
***********************************************************
STEP TWO:
Make the following local groups accessible by your zenoss account.
Distributed COM Users
Performance Monitor Users
Event Log Readers (which doesn't exist on pre-2008 machines)
Here's the Powershell script I used to setup access to these local groups:
# Created to add Active Directory account to local groups
# Must be run from elevated prompt, with permissions on the remote machine(s).
# Create txt file should contain the names of the machines that need the account added, one per line.
# Script will process machines line by line.
foreach($i in (gc c:\tmp\computers.txt)){
# Add the user to the first group
$objUser=[ADSI]("WinNT://domain/zenoss")
$objGroup=[ADSI]("WinNT://$i/Distributed COM Users")
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
# Add the user to the second group
$objUser=[ADSI]("WinNT://domain/zenoss")
$objGroup=[ADSI]("WinNT://$i/Performance Monitor Users")
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
# Add the user to the third group - Group doesn't exist on < Server 2008
#$objUser=[ADSI]("WinNT://domain/zenoss")
#$objGroup=[ADSI]("WinNT://$i/Event Log Readers")
#$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
}
**********************************************************
STEP THREE:
Setup security on the machines namespace so our domain/zenoss account can access it
The default namespace for zenoss is: root/cimv2
Here's the Powershell script:
#Grant account defined below (line 11) access to WMI Namespace
#Has to be run as account with permissions on remote machine
function get-sid
{
Param (
$DSIdentity
)
$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}
$sid = get-sid "domain\zenoss"
$SDDL = "A;;CCWP;;;$sid"
$DCOMSDDL = "A;;CCDCRP;;;$sid"
$computers = Get-Content "c:\tmp\computers.txt"
foreach ($strcomputer in $computers)
{
$Reg = [WMIClass]"\\$strcomputer\root\default:StdRegProv"
$DCOM = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
$security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
$binarySD = @($null)
$result = $security.PsBase.InvokeMethod("GetSD",$binarySD)
$outsddl = $converter.BinarySDToSDDL($binarySD[0])
$outDCOMSDDL = $converter.BinarySDToSDDL($DCOM)
$newSDDL = $outsddl.SDDL += "(" + $SDDL + ")"
$newDCOMSDDL = $outDCOMSDDL.SDDL += "(" + $DCOMSDDL + ")"
$WMIbinarySD = $converter.SDDLToBinarySD($newSDDL)
$WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
$DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL)
$DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD
$result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions)
$result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD)
}
***********************************************************
STEP FOUR:
Get the SID for our zenoss account.
Powershell
#Provide AD User get SID
$objUser = New-Object System.Security.Principal.NTAccount("domain", "zenoss")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
******************************************************************
STEP FIVE:
Modify the Service Control Manager to allow access to the zenoss AD account.
This command can be run from an elevated command line, or through Powershell
sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)
(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
(A;;CCLCRPRC;;;PUT_YOUR_SID_HERE_FROM STEP_FOUR)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
******************************************************************
In step two the script plows through a txt file that processes each computer listed on each line. For the other scripts I ran them on each machine using LANDesk. You can probably edit those scripts to process a text file as well.
That's what got me off the ground monitoring the machines using Zenoss. Hopefully this is helpful for you. Watch the line breaks when copy the scripts.
© Geeks with Blogs or respective owner