Troubleshooting Process Elevation in Privilege Manager

Oct. 12th 2016

Here are some tips when trying to discover why the process elevation feature is not working as expected.

  • Ensure that the rule has been created, has been saved and applied to a Group Policy Object (GPO). Ensure this GPO has been linked to either an OU or the domain.
  • Ensure that the Privilege Authority Client is installed on the client machine by looking in the Add/Remove Programs applet. If WMI is available, you can query the machine by dropping into a command prompt and typing “wmic /node: <fqdn of machine> product get name,version “.  If you need PowerShell, there is a great script located here.
  • From the command prompt, run ‘GPUpdate /force’ to make sure that the Group Policy has been refreshed.
  • Run ‘GPResult’ (or ‘GPResult /R’ on Windows7 or 2008), and check that the GPO the rule belongs to has been applied to that machine.  You can also use the Resultant Set of Policy (RSoP) feature or Group Policy Modeling on the Group Policy Console.  For more info, see here.
  • Check in the registry for the rule. Rules are copied to the key –

HKEY_LOCAL_MACHINE\Software\ScriptLogic Corporation\Privilege Authority\CSE\CSEHost\Host. Under this key you will see a key which is the SID for each user (i.e. S-1-5-21-15….) and then a unique GUID for each rule underneath this. To match the SID to a user account, navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and look at the data in the ProfileImagePath value or use the script provided below.

You can also create a VB Script using the following script:

Set oShell = CreateObject( “WScript.Shell” )

User=oShell.ExpandEnvironmentStrings(“%UserName%”)

UserDomain=oShell.ExpandEnvironmentStrings(“%UserDomain%”)

strComputer = “.”

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)

Set objAccount = objWMIService.Get(“Win32_UserAccount.Name='” & User & “‘,Domain='” & UserDomain & “‘”)

DisplayString = UserDomain & “\” & User & ” = ” & objAccount.SID

Wscript.Echo DisplayString

Wscript.Echo objAccount.SID

  • If the rule is present in the registry, enable logging to troubleshoot further.

 To Enable Logging

 

Under the registry key HKLM\Software\ScriptLogic Corporation\Privilege Authority\ change ‘LogLevel’ from the default value of 0 to 3 and restart the ScriptLogic Privilege Authority Host Service.  The log files can be found in the folder specified in the ‘InstallPath’ value under this same key. The default log location is C:\ProgramData\Privilege Authority\Logs.

  • Run the application or target process that you have created your rule for. Then go to the log file folder (by default – C:\ProgramData\Privilege Authority\Logs) and open the CSEHostEngine.log file. Every process that is being run by the user will be displayed.  To the right of each process, you will see a “MATCH” or “NO MATCH” status indicating whether or not the process matched a given Privilege Authority rule. Then, do a search for the process that you are trying to elevate and see if there is a match or not.
Posted by LeadThem Consulting | in Uncategorized | No Comments »

How To Redirect the Default Website to the Password Manager(QPM) Self Service Site

Jan. 22nd 2014

Password Manager does not auto redirect the website you have to go to http://servername/qpmuser every time. However with in IIS you can turn out HTTP Redirect. Here are the steps.

Go to the IIS Manager
Select HTTP Redirect under the Default Web Site

pic1

 

Check “Redirect request to this destination”

Enter QPMUser

Check “Redirect all requests to exact destination”

Check “Only Redirect Request to content in this directory”

Click Apply

pic2

Go under each subfolder and Virtual site of Default Web Site

Uncheck “Redirect request to this destination” this is very important due to every subfolder and virtual site will be set for HTTP Redirect.

Apply Changes

pic3 pic6 pic5 pic4

 

Once this is done you will be able to go to http://servername and it will redirect you to http://servername/QPMUser

This Must be done on all QPM Webservers you want to Redirect

 

Note: If you want to redirect to Helpdesk Enter QPMHelpdesk instead of QPMUser

 

 

Author: Wayne Thompson, Exchange Architect, LeadThem Consulting

 

________________________________________________________________________________________________________________

 

 

Posted by LeadThem Consulting | in Password Manager | Comments Off on How To Redirect the Default Website to the Password Manager(QPM) Self Service Site

SharePlex – Repairing a Table with Copy

Jan. 2nd 2014

This procedure is generally used only for very large tables when standard compare and repair can not be executed due to time or system resource constraints.  The instructions below will allow you to execute this procedure with the least amount of impact to the database, by minimizing the lock time required on the table.

  • Open 3 windows on the source system to expedite the process. This will enable you to minimize the amount of time the full table lock is held. With proper execution, the table lock can be less than 10 seconds.
  • In one window, create an export parameter file to export the table you want to synchronize. When complete, enter the export command but don’t hit the return key. The basic export command or data pump can be used.
    • noup / expdp parfile=exp.par &
  • In your second window, enter sqlplus from the command line. Enter the lock table command but do not hit return.
    • sqlplus / as sysdba
    • SQL>  lock table <table name> in exclusive mode;
  • In your third window, enter sp_ctrl and type in the flush command but do not hit return.
    • sp_ctrl
    • > flush <datasource>
  • You are now ready to start the procedure. All steps should be done as quickly as possible to reduce the lock time.
  1. Execute the lock table command in window two. If this times out, retry until successful.
  2. Execute flush command in window three.
  3. Start export command in window one.
  4. Return to window two and execute a commit.
  5. When export is completed, transfer dump file to target server, truncate the table, and import it.
  6. Start the post process.

 

Author: Mark Bochinski, Senior SharePlex DBA, LeadThem Consulting

 

________________________________________________________________________________________________________________

 

 

Posted by LeadThem Consulting | in SharePlex | Comments Off on SharePlex – Repairing a Table with Copy

SharePlex Compare and Repair

Jan. 2nd 2014

Shareplex COMPARE/REPAIR

The COMPARE and REPAIR commands are essential components of the Shareplex toolset. The COMPARE command, started on the source system, will compare one table with the corresponding table on the target. The COMPARE USING <config file name> command will compare the entire list of tables in the config file. The COMPARE command creates one log file on the source and two files on the target, one log file and one SQL file. The log file records the steps taken and errors if they occur. The SQL file contains comments plus any SQL statements needed to bring the table back in sync. However, these SQL statements are not executed. During the execution of the COMPARE command, a brief exclusive table lock is required on the source system. The table is immediately unlocked once Shareplex starts reading the table. However, on the target system the exclusive table lock is held for the duration of the compare on that table. This prevents the table from being modified during the compare. The REPAIR command works identically to the COMPARE command with the exception that it does execute the SQL statements and synchronizes the OOS (out-of-sync) table.

Before starting the COMPARE or REPAIR commands, the TEMP tablespace and the UNDO tablespace may need to be made larger. Also, the undo_retention database parameter may need to be increased. At a bare minimum, the TEMP tablespace will need to be at least as large as the largest table. Depending on the setting of SP_DEQ_THREADS (default 2), the size of the TEMP tablespace would need to be larger than the sum of bytes of the two largest tables. If SP_DEQ_THREADS is set to a larger number, increase the size of the TEMP tablespace accordingly. Similarly the UNDO tablespace may need to be increased. Based on transaction volume and the length of time it takes to compare the largest table increase the size of the UNDO tablespace and increase the undo_retention database parameter to avoid an ORA-1555 Snapshot too old error. Tables with LOBs take much longer to compare or repair than tables without them.

The Shareplex COMPARE and REPAIR commands work as follows. After locking the table, the table is read and sorted in identical fashion on both source and target. If the table is large, it will probably need to be sorted in the TEMP tablespace. As this writes to disk, it will take longer than if it was sorted in RAM. Next, 10000 rows are read on the source and target systems, a UNIX check sum is performed. If the check sums match, the next 10000 rows are read, etc. If the check sums do not match, the COMPARE and REPAIR processes determine which rows are out of synch and creates the SQL statements to repair them. The REPAIR process executes the SQL statements.

Commonly modified COMPARE/REPAIR parameters

SP_DEQ_BATCHSIZE – Default 10000.This parameter determines how many rows are read on source and target before executing the UNIX check sum command. Larger batch sizes increase the processing speed but require more RAM. The range of values is from 1 to 32767.

SP_DEQ_THREADS – Default 2. This parameter controls the number of parallel compare or repair processes. It only impacts the COMPARE USING <config file name> command. A common occurrence when this parameter is set to a high value is multiple large tables comparing at once. If the database has 1000 tables in replication and 20 of them are large, Shareplex will quickly compare the small tables while the large tables will take longer as they sort to the TEMP tablespace. Eventually, many large tables could be comparing at the same time. This can cause a huge load on the OS. Setting SP_DEQ_THREADS larger than the number of available CPUs is unadvisable.

SP_DEQ_SKIP_LOB – Default 1. The default value causes LOBs to be included in the compare/repair process. Setting it to 0 will cause only the non-LOB columns to be included in the compare repair process. This will greatly speed up comparing or repairing LOB tables, especially useful if the LOB columns are never modified after insert.

 

Author: Mark Bochinski, LeadThem Consulting Senior SharePlex DBA

 

________________________________________________________________________________________________________________

 

 

Posted by LeadThem Consulting | in SharePlex | Comments Off on SharePlex Compare and Repair

Reusing Functions in ARS Scripting

Nov. 20th 2013

Sometimes in scripting, I tend to reuse the same bit of code over and over again and it can cause the script being written to become overly large, or larger than it really has to be.  This is where powershell functions come into play.

 

A function is nothing more than a reusable bit of code that is referenced by a name and possibly some variables that are passed into the function.

 

An example of this is:

 

function HelloWorld {

 

write-host “Hello to the World!”

 

}

 

And in the script, it would be called by simply referencing the name

 

HelloWorld

 

The function may be included in the body of a script and called directly and all works as expected, but what can we do if the function is utilized across multiple scripts without re-inventing the wheel each time?  Well, we can place the function(s) in a PowerShell script and just include that script or reference the function script within the new script.  In PowerShell this is called dot sourcing and is formatted like so:

 

. c:\scripts\include.ps1

 

Note:  The format is a period, space, and then the path to the script to include.  When dot-sourcing a script, all variables and functions are available to the console after the script ends.

 

So, now we have the basics of that out of the way, the same idea can be used in Quest Active Roles Server (ARS).  Script modules within ARS can be created for a multitude of operations:

 

  • onPreCreate
  • onPostCreate
  • onPreDelete
  • onPostDelete
  • onPreModify
  • onPostModify
  • onPreMove
  • onPostMove
  • onPreRename
  • onPostRename
  • onPreGet
  • onPostGet
  • onPreDeprovision
  • onPostDeprovision
  • onPreUnDeprovision
  • onPostUnDeprovision

 

Let’s just say, for all of the operations above, you had a need to write the date and time to the description field if the object was a type of User.  This could be a requirement for and easy to tell when the user object was last touched by the automation of ARS.

 

The scenario above would be good use of a function and including this function with all ARS Policy scripts, then it could be called from all scripts.

 

To accomplish this, first, we need to create a Library script within ARS.  A Library script is the only type of script in ARS that may be referenced from a policy script.  In the ARS console, expand Configuration, then Script Modules.  From here the Library script can be created, or a new Script Container can be made to house and organize the custom modules.

ARS1

 

I have a custom scripts container where I place all of my created scripts (Library and Policy).  Right click where you want to create a script, and select New->Script Module.  This will open the Wizard to create a new Script Module object.

ARS2

 

Enter a name for the new library, select your language of choice (this has been written around using PowerShell), enter a Description if so desired, and click Next.

ARS3

 

This page is where we select Library script.  As you can see by the explanation, this is exactly what we are looking for.  Click Next.

ARS4

 

The last page is just a confirmation, click Finish to create the new Library.

In order to add functions to the new Library, locate it within the tree, click on it (you will see the right pane is blank), and either click the icon b1or press F4 to edit the script.

Now, we create our function.  I will just show the finished code below:

Function SetUserDescription {

If ($Request.Class –eq “User”) {

$dn = $DirObj.Get(“distinguishedName”)

$Date = Get-Date -Format “yyyyMMdd-HHmmss”

$Description = “User Modified by ARS on “ + $Date

Set-QADUser $dn –Description $Description

}

}

The code above checks the class, grabs the users DN, grabs the Date, builds the description text, and then sets the users description.

Save the Library script by clicking the icon b2 or by pressing Alt-S

We have a script Library with our function saved in it, now to use it within a policy script.

A new Policy script can be created using the previous steps for the Library script, just select Policy Script in the second step.

Follow the Library procedures for editing the script.

Now we are in editing mode, let’s include our Library.  Click the icon b3 or press Alt-L.

ARS5

 

This dialog appears, and all that is required is to expand the container that the Library exists in and check the box next to the Library and click OK.  Note:  Multiple Libraries may be included at the same time with this dialog.

After the OK button is clicked, code will appear at the top of your edit window that looks like the following:

function onInit($Context)

{

$Context.UseLibraryScript(“Script Modules/Custom Scripts/TestLibrary”)

}

With this included now, you may reference any function that exists within that Library.  In our example, you would just reference SetUserDescription in order to call that function.

function OnPreMove($Request)

{

***Do some stuff ***

SetUserDescription

}

The above will execute the SetUserDescription function from the included Library script before a User is moved but after ‘stuff’ script commands execute.

Once your Library is built up and assigned to Policy Scripts, you are ready to assign these Policy scripts to Provisioning Policies, Deprovisioning Policies, or Workflows within ARS.

 

Author: Russ Burden, Technical Architect, LeadThem Consulting

 

________________________________________________________________________________________________________________

 

 

Posted by LeadThem Consulting | in ARS | Comments Off on Reusing Functions in ARS Scripting
logos

LeadThem Consulting
20418 SE Hwy 212
Damascus, OR 97089