Facebook – The New American Sofa

If you’re posting on Facebook, like I am right now, it means you’re not getting shit done. If you’re not getting shit done, it means you’re part of the problem. The more you’re not getting shit done, the bigger the problem.

I don’t count Twitter in this fight, because Twitter constrains everyone to small bites.  Facebook encourages long, rambling, mindless rants, just short of being a full blog, but definitely longer than most TV and radio commercials.  Also, comparing Twitter and Facebook, the percentage of content focused on “sharing information” (useful information) rather than fluff/politics/religion/rehashed-news/fake-news/re-faked-news etc. isn’t even in the same ball park.  Not even the same planetary system.

In one hour I get more helpful information from Twitter than an entire year on Facebook.  I have made my decision on where to spend my “not getting shit done” time.

Master Plan – Automating an SCCM Site Installation

I was thinking, “Man, (or woman), it would sure be coolio if I could push one button and *presto!* I have a fully-built SCCM site server, without having to install anything but Windows itself“.  There’s some really shiny stuff out there already, like hydration kits and prerequisite installers.  But then, I thought “That’s not enough!  I need it to be ‘real’.  I need more!!” I want to build the site itself, and configure EVERYTHING to be JUST LIKE A REAL site out in the real world.  So, here’s how I sketched it out…

  1. Install Windows Server
    1. Do NOT patch it
  2. Create all the folders in all the right places
  3. Install Windows Server roles and features
  4. Install ADK for Windows 10
  5. Install MDT
  6. Install SQL Server with file auto-growth settings, Domain Service accounts, and register the SPNs
  7. Configure SQL Server memory limits
  8. Install the WSUS role
  9. Run the WSUS post-install configuration step
  10. Create file NO_SMS_ON_DRIVE.SMS on C:\
  11. Install Configuration Manager 1511 (not the latest baseline) with a Site Code, Site Name, Roles
  12. Configure Discovery Methods, including Network Discovery, where each one runs every day
  13. Initiate Discovery Methods
  14. Create Site Boundaries and Boundary Groups
  15. Configure Client Settings
  16. Configure Client Push Installation
    1. Configure automatic client installation and client upgrades
  17. Create and Configure Query-based Collections
  18. Configure all Query Collections to update every hour
  19. Create and Configure a set of Applications
  20. Deploy Applications to Collections
  21. Add everyone in IT to the “Full Administrator” RBAC role in SCCM
  22. Add everyone in IT to the SQL Server server admins role
  23. Install Symantec Antivirus, McAfee Antivirus, Cylance Agent and anything else on the same host
  24. Turn on the Domain Firewall
  25. Create an OSD configuration
    1. Windows 10 Image captured from a 5-year old machine with EVERY conceivable application installed.  If it’s not at least 10 GB, we have to repeat until it does.
    2. Boot Images – add every component and every driver for every model we have
    3. Drivers – everything.  all of it.
    4. Applications – only those product names which begin with 0 – 9 or A – Z.
    5. Task Sequences – create a dozen with names that mean nothing to anyone unless they’re on drugs
    6. Deploy each TS  to “All Systems” via PXE without a password
  26. Set a scheduled task to reboot the site server every night at the same time the backups and SQL jobs are supposed to run
  27. Add “Domain Users” to the local Administrators group
  28. Turn off Site Maintenance tasks: backups, reindex.
  29. Do not install Ola’s tools – or Steve’s guidelines for SQL – they just make it run too well.
  30. Install Google Chrome, MS Office, Adobe Reader and any freeware applications I can find on the primary site server
  31. Change the NIC to use DHCP
  32. Install additional Web Site applications within IIS
  33. Verify no PKI exists and then configure all clients to use PKI only.
  34. Take a snapshot/checkpoint every day and once a month revert to a previous snapshot from a week earlier.
  35. Post job openings to all the job search sites insisting the candidate ONLY know Ghost or Acronis and has never touched or even heard of SCCM or MDT, ever.
  36. Configure Azure with O365 and and EMS tenant
  37. Integrate SCCM and EMS
  38. Enroll devices in EMS/Intune
  39. Deploy SCCM clients to the Intune devices
  40. Automatically open support tickets with Microsoft on why the clients stop working in EMS/Intune

That should just about cover it.

GPODoc – PowerShell Module

I just posted my first PowerShell module to the PowerShell Gallery, even though it’s been available on my GitHub site for a little while longer.  It’s a small project, with only two (2) functions, so far.  Get-GPOComment and Export-GPOCommentReport.

Get-GPOComment is purely CLI and helps query GPO’s to return embedded descriptions, comments and so on.

Export-GPOCommentReport is a CLI function as well, but produces an HTML report, which is technically GUI output, of embedded GPO comments and descriptions.

The module is simple to load by way of the Install-Module and Import-Module cmdlets (see below).  The only requirement is to have the GroupPolicy PowerShell module installed first.  This is normally installed on all AD domain controllers, as well as other servers and workstations which have the Windows 10 RSAT package installed (tip: You can also use Chocolatey to install RSAT:  choco install rsat <or> cinst rsat)

Loading The PowerShell Module

Install-Module GPODoc

Trying it out: Get-GPOComment

Get-GPOComment -GPOName '*' -PolicyGroup Policy

get-gpocomment1

Get-GPOComment -GPOName '*' -PolicyGroup Preferences

get-gpocomment2You can easily modify the output layout since the output is in hash table format…

Get-GPOComment -GPOName '*' -PolicyGroup Preferences | Format-Table

If you want more flexibility in selecting the inputs, you can use the Get-GPO cmdlet and channel the output through a pipeline.  For example…

Get-GPO -All | Where-Object {$_.DisplayName -like "U *"} | 
  Select-Object -ExpandProperty DisplayName | 
    Foreach-Object {Get-GPOComment -GPOName $_ -PolicyGroup Policy}

get-gpocomment3

The parameters for this function are as follows:

  • GPOName
    • [string] single or array of GPO names
  • PolicyGroup
    • [string] (select list) = “Policy”, “Preferences” or “Settings”
    • Policy = query the GPO descriptions only
    • Settings = query the comments attached to GPO internal settings only
    • Preferences = query the comments attached to GPO Preferences internal settings only

This also respects -Verbose if you want to see more background details.

Export-GPOCommentReport

This function only takes two (2) inputs:

  • GPOName
    • [string] single or array of GPO names
  • ReportFile
    • [string] the path/filename for the HTML report file to create.

It invokes Get-GPOComment, combining “policy”,”preferences” and “settings” output, and writes it all to an HTML report file of your choosing.  The CSS formatting is hard-coded for now, but I’m open to feedback if you want more options. You can specify the GPO name(s) directly, or feed them via the pipeline.

export-gpocommentreport1

Example web report…

export-gpocommentreport2

If you used 1.0.1 (posted a few days earlier) scrap that and get 1.0.2.  The older version had some major bugs in the Get-GPOComment function, and the Export-GPOCommentReport function wasn’t available until 1.0.2.

Feedback and suggestions are welcome.  Even if it’s “hey man, your shit sucks. Consider a dishwashing job, or something else.”  Any feedback is better than no feedback.

Thank you!

 

Documenting Your IT Environment (The Easy Way)

One of the most common, and tragically problematic, aspects of today’s IT world is the lack of sufficient documentation. In fact, ANY documentation. It’s not associated with any one area either. It crosses everything from help desk tickets, to change requests, to Active Directory objects, to Group Policy, to SQL Server, to System Center to Azure.

UPDATED 8/8/17 – added SQL and SCCM examples at very bottom.

When and Why Does It Matter?

It matters when things go wrong (or “sideways” as many of my colleagues would say).  There’s the “oh shit!” moments where you or your staff find the problem first.  Then there’s the “oh holy shit!!” moments when your boss, his/her boss, and their bosses find the problem first and come down hard on you and your team.  When shit goes wrong/sideways, the less time you waste on finding out the what/where/why/who/when questions for the pieces involved with the problem, the better.  To that end, you can document things in other places, like Word documents, spreadsheets, help desk and ITIL systems, post-it notes, whiteboards, etc.  Or you can attach comments DIRECTLY to the things which are changed.  This isn’t possible in all situations, but it is most definitely possibly for many of the things that will straight-up shove your day into shit storm, and I have no idea what that really means, but it just sounds cool.  Anyhow…

The best part of this approach is that you can leverage PowerShell and other (free and retail) utilities to access and search comments you nest throughout the environment.  For example, you can collect and query Group Policy Object comments…

Need to Get the Comment buried in a particular GPO or GPPref setting?  Here’s one example for querying a GPO under User Configuration / Preferences / Control Panel Settings / Folder Options…

#requires -modules GroupPolicy
<#
.SYNOPSIS
  Get-GPPrefFolderOptionsComments.ps1
#>
param (
  [parameter(Mandatory=$True)]
  [ValidateNotNullOrEmpty()]
  [string] $GPOName
)
try {
  $policy = Get-GPO -Name $GPOName -ErrorAction Stop
}
catch {
  Write-Error "Group Policy $GPOName not found"
  break
}
$policyID = $policy.ID
$policyDomain = $policy.DomainName
$policyName  = $policy.DisplayName
$policyVpath = "\\$($policyDomain)\SYSVOL\$($policyDomain)\Policies\{$($policyID)}\User\Preferences\FolderOptions\FolderOptions.xml"
Write-Verbose "loading: $policyVpath"

if (Test-Path $policyVpath) {
  [xml]$SettingXML = Get-Content $policyVpath
  $result = $SettingXML.FolderOptions.GlobalFolderOptionsVista.desc
}
else {
  Write-Error "unable to load xml data"
}
Write-Output $result

Example…

So, What Now?

So, in the interest of avoiding more bad Mondays, start documenting your environment now.  Need some examples of where to start?  Here you go…

 

Thank you for your support.

60 seconds of IT Advice

1. DO NOT get comfortable on old technology.  Keep moving.  Keep current.  It hurts a LOT less to upgrade now, than to wait for later.

2. Patch, Patch, Patch the fuck out of your environment until there are no more patches left to be applied.  I apologize for the expletives, but it’s really that fucking serious.

3. Test EVERYTHING in an isolated environment.

4. Document EVERYTHING. Use internal commenting wherever possible (Group Policy, AD, SQL Agent Jobs, scripts, etc.)

5. DO NOT EVER grant admin rights to anyone using their standard login. EVER.

6. Log files – Learn them. Know them. Live them.

7. Find a hobby. Anything. Get your mind into a separate creative channel after hours and on weekends.

8. Ask “Why?” as often as possible. Especially to yourself.

9. Respect the coffee.  All hail the coffee.

10. Take it seriously, but not too seriously.  (tip: envision describing your worst IT problems to the kids pictured above)

11. Have you finished patching yet?!?!

Poor Man’s IT Chain Reactions

wpid-chinese-take-out.jpg

Challenge:

Make sure every machine in the enterprise (connected to LAN or always-on VPN) has the latest version of psexec.exe on the local C: drive.

Why?

Why not?  That’s why.

Option 1:

AKA – the semi-automated, safety switch turned off, fully-loaded, drunk guy holding the trigger option.

  1. Download psexec.exe from live.sysinternals.com (or direct: https://live.sysinternals.com/psexec.exe) and place into AD domain SYSVOL scripts folder (e.g. \\contoso.com\netlogon)
    Example…

    $WebClient = New-Object System.Net.WebClient
    $WebClient.DownloadFile("https://live.sysinternals.com/psexec.exe","\\contoso.com\netlogon\psexec.exe"
  2. Create Group Policy Object (GPO) with Computer Preferences setting to copy psexec.exe from the SYSVOL share to a location on the local C: drive. Configure to “update” so that future version updates will be passed down to the clients.
  3. Create a Scheduled Task to keep the SYSVOL copy up to date with the latest version.

Pros

  • Cheap (free)
  • Fairly automated (just add water, makes it’s own sauce / set it and forget it)

Cons

  • Smells like duct tape and coat hanger wire

Option 2:

AKA – The “I have a budget, so kiss my butt” option.

  1. SCCM package or application deployment

Pros

  • You look cool pulling it off, but not as geeky as option 1.

Cons

  • More moving parts under the hood.
  • May require additional steps to maintain a consistent current version across all devices.

Option 3:

AKA – The “I don’t have a budget, so kiss my butt” option.

  1. Include within image configuration (MDT, SCCM, Ghost, Acronis, etc.)

Pros

  • Easy

Cons

  • Difficult to maintain a consistent and current version across the enterprise

Option 4:

AKA – the “most fun to laugh about during the next beer-meeting” option

  1. Send the new guy around with a USB thumb drive

Pros

  • Great fun in the office

Cons

  • Do I really need to spell this out?

 

Interviews – Will IT Be More or Less Fun in 10 Years?

Question: “Do you expect that IT work in 10 years from now, will be more fun or less fun than it is today, and why?”

Mark Aldridge

I think that it will be more fun as there will so much more technology to learn in 10 years time and so many amazing features in ConfigMgr 2706!

DareDevelOPs

I think it will be more fun as open source projects become more the norm. Also as Infrastructure as Code becomes all things as code (ATaC?), the challenge level is going to go up. We will be more focused on solving the problem than running the infrastructure. Also the kinds of industries will change from country to country as the Human Development Index shifts and Nation State ranking changes. The level of Virtualization in all areas life will continue down Moore’s law critical path, even as the compute hardware reaches Moore’s limit. te things we IT will get shinier. …or Skynet.

Stephen Owen

More fun! IT has only gotten more interesting and varied, with the introduction of mobile devices and tons of new form factors. I think in ten years we all will finally know what we’re doing with Windows updates, and probably have a better handle on security practices.

I think the Wild West days of IT are behind us, and I for one am happy about it. My phone definitely rings less on weekend now than it did five years ago.

Damien Van Robaeys

When I see all available technologies, I can imagine that, in 10 years, the working environment will also change.
This will be the time of mixed reality, even if Minority report won’t be for now.
I hope we will work with Holographic computers, like the Hololens.

Maybe computers, like laptop or desktop, if they still exist, will use an holographic screen and holographic keyboards.
Imagine your computer, in a small box that will display a screen above, and a keyboard on your desk.

Meetings would be done with holographic system, like in Star Wars , with a system that will allow you to say Hey call Mr X, and Mr X will appear in front of you in hologram, like Obi Wan Kenobi.

Rob Spitzer

Fun is such a relative thing. I’ve met DBAs that are super passionate about their jobs yet I can’t imagine how that could be any fun. Conversely I’ve been asked on multiple occasions how I deal with Exchange every day. It’s just something I found that I enjoy doing.

There’s no doubt IT is changing. We’ve seen this happen before. We rarely build hardware anymore and now we’re seeing things like software installation and configuration go away as we move more to the cloud. I’ve seen Exchange change a lot over the last 20 years but, at its heart, it’s still the same thing I’ve enjoyed all along, even in the cloud.

You just need to make sure you find a role that you’re passionate about. If you have a hard time putting down at the end of the day, odds are you found it.

Ami Casto

IT, fun? What? IT has been and will always be what you make of it. 10 years from now you’ll still be fixing some idiot policy you didn’t create but have to clean up the mess now that the poo has hit the fan. You’ll just have to keep looking for the things that make you passionate about what you do.

Arnie Tomasovsky

I expect it to be less fun, as thanks to AI, everything will be a lot more automated. BUT human being will remain as the end user, therefore fun won’t disappear 🙂

Johan Arwidmark

I expect it to be more fun, and more complex. Why? Hopefully less politics, and more ongoing maintenance/upgrades, and more automation.

Nicke Kallen

There are two directions that this can go in… either we aim for a specialized knowledge set where employees will continue tinkering as they do today. The number will not be as many as we have today, but larger corporations will still depend on this knowledge and for the people that have actively developed this skillset – it’s a lot more fun.

The other option is that we are somewhere down the journey to be completely commoditized. Perhaps a few service providers have staff, but apart from that we define business requirements and ensure the logistics part of delivering IT works. Its most likely not the cup of tea for today’s it workers…

Mike Terrill

I think IT will be even more fun 10 years from now. The reason for this is because our field is growing at a rapid pace and will continue to do so over the next 10 years. Just imagine some of the gadgets we will have in the future and how much AI will have progressed.

Rod Trent

A: <Beavis and Butthead mode on…> Hehe…you said work in IT is fun </Beavis and Butthead mode off>

Chris DeCarlo

So I’m sure everyone you asked this question will say “More fun…” So I’ll play devil’s advocate here and say less fun. AI is already making decent strides, and with the great progress of robots and VR already I envision AI being fully integrated into robotics in the next 10 years. These AI enhanced robots will take over our call centers and end user support roles with 24×7 support and no need for breaks or health care. From there AI will be integrated into the Windows OS and automatically Google( or I mean Bing) and fix any errors that appear on your server/sccm software leaving us “organ sacks” or “blood bags” with basic tasks such as lubricating the robots joints, and polishing the robots shiny metal ….

Skatterbrainz

More fun for some.  Less fun for others.  More work for software folks, less work for hardware folks.  In all, I think there will be some serious reduction in IT staffing for many data center roles, as those things morph into “Software-Defined <x>” while evaporating into the cloud.  Then again, it’s not inconceivable that some unforeseen events could trigger a massive reversion from cloud back to on-prem.  Government intrusion, for one, might have that sort of impact.