Category: BuildingBlocks

Removing zombies from Service Store

By Max Ranzau

 

From Rick Grimes has no patience for the undeleted dead.the Hacking Dead dept. Service Store is a fine HR data processor and workflow engine, when you set it up to pull people and department data in from an authoritative data source. In a previous article I showed an example on how to do just that.  However, when a person is marked as deleted in your datasource, IT Store doesn’t delete the user. They effectively are the living dead IT Store people, except in this case they won’t try to claim a license or your brains.

Update: This article was updated on May 8th 2016 with new and improved SQL.

Deleting a user in IT Store has always been a two-stage affair. Initially when IT Store marks a person for deletion it uses the opportunity to scan for any and all delivered services. One should not tinker with this. However, once mentioned services have been properly returned, the user is then marked as [Ready for deletion]. But that’s all she wrote. Nothing more happens.

3zombiesEffectively this means over time an organization with thousands of annual onboarding/offboardings (think educational institutions for example) will have a pileup of undead un-deleted people in IT Store. Sure, they’re obscurred from view until you check the “Include people marked for deletion”. Your only current option is to manually go Mischonne on them in the console yourself. (Yes, I know – old screenshot, but it’s the same deal)

Update: There is also a another problem with leaving people not deleted in the ServiceStore. If you need to re-use people identifiers, say when you delete someone, their email address can be re-registered. This is not the case if a person is not deleted manually from the store.

The design rationale is that since some HR systems don’t delete the employee when off-boarded, then neither should ITS. Here’s where I disagree. It makes sense for HR systems to keep a record of previous people for administrative reasons, but since ITS is the conduit into the rest of the IT infrastructure organization, there’s IMHO little point in keeping a record here once you’ve cleaned up everywhere else. After all, during off-boarding we’d probably be exporting the user’s mailbox and zip up his homedrive as we don’t want dead user remains floating around in the production environment.

At this stage there’s only one way to deal with this if you don’t want to manually flush users marked ready for deletion: Hack the IT Store database.

warning, yellowLike any other vendor, RES gets nervous ticks and reaches for their crossbow, when  you start messing with the brraaaiiins grey matter of the datastores, thus the usual warnings apply: If you do this, you’re on your own. See the MOAD for details. Also, may I recommend you make a backup of the datastore and KNOW how to restore it.

That said, let’s look at the updated hack. It consists of 3 consecutive SQL delete queries. The first version of this database hack only deleted the person, but since people attributes and identifiers are stored in separate tables, they would be orphaned if you don’t clean them out before deleting the person. Presuming your datastore is running MSSQL, the new and improved update SQL looks like this:

-- delete all people identifiers associated with this person
DELETE 
   FROM [$[in.db.its.name]].[dbo].[OR_PeopleIdentifiers]
      FROM [$[in.db.its.name]].[dbo].[OR_PeopleIdentifiers] AS ppli 
      INNER JOIN [$[in.db.its.name]].[dbo].[OR_Objects] AS pers 
         ON ppli.PersonGuid = pers.Guid
    WHERE pers.Type = 1 and pers.RecordStatus = 2;

-- delete all people attributes associated with this person
DELETE 
   FROM [$[in.db.its.name]].[dbo].[OR_PeopleAttributes]
      FROM [$[in.db.its.name]].[dbo].[OR_PeopleAttributes] AS ppla 
      INNER JOIN [$[in.db.its.name]].[dbo].[OR_Objects] AS pers 
         ON ppla.PersonGuid = pers.Guid
   WHERE pers.Type = 1 and pers.RecordStatus = 2;

-- delete the person
DELETE FROM [$[in.db.its.name]].[dbo].[OR_Objects]
	WHERE [$[in.db.its.name]].[dbo].[OR_Objects].Type = 1 and 
             [$[in.db.its.name]].[dbo].[OR_Objects].RecordStatus = 2;

The $[in.db.its.name] above is an Automation Manager module parameter, containing the name of the ITS database. Running this update query will be the same as manually marking all the users marked [Ready for deletion]. One SNAFU back from IT Store 2014 was  the people will not be removed from the ITS console before you exit and re-launch it. My guess is that the records are cached in RAM and are only updated when the old IT Store was doing it’s own operations. This is however not the case with ServiceStore 2015, as the affected people are removed immediately.

sql Putting this into Automation Manager, I came across a minor problem with the SQL statement execute task in Automation Manager. It looks like as of SR3 (7.0.3.0) the password field can’t be properly parameterized. Sure, you can rightclick on the password field and insert a parameter, but next time you go back and edit the module, the password stops working. Until RES fixes this and puts in a proper set of credential-type accepting field, you’re better off hardcoding the password.

If you’re still up for it, try out this buildingblock in your lab:  legobrick-cropped

Note1: Buildingblock has NOT been updated with the new SQL statement above, you’ll need to paste that in yourself.

Note2: If you suspect you might already have orphaned people attributes or people identifiers in your datastore you can check with these two statements:

-- test if we have any orphaned people attributes
select * from your_storedb.dbo.OR_PeopleAttributes
WHERE NOT EXISTS(SELECT NULL
                    FROM your_storedb.dbo.OR_Objects obj
                   WHERE obj.Guid = PersonGuid  )


-- test if we have any orphaned people identifiers
select * from your_storedb.dbo.OR_PeopleIdentifiers
WHERE NOT EXISTS(SELECT NULL
                    FROM your_storedb.dbo.OR_Objects obj
                   WHERE obj.Guid = PersonGuid  )

If both queries above come back with zero rows, you’re fine. Otherwise, you’ve got orphans. You can wipe them out like another Scrooge by running these two deletes:

-- delete orphaned people attributes
delete from your_storedb.dbo.OR_PeopleAttributes
where not exists (
    select NULL 
    from resss.dbo.OR_Objects obj
    where obj.Guid = PersonGuid
);

-- delete orphaned people identifiers
delete from your_storedb.dbo.OR_PeopleIdentifiers
where not exists (
    select NULL 
    from resss.dbo.OR_Objects obj
    where obj.Guid = PersonGuid
);

 

Bug alert: The Zombification Attribute

By Max Ranzau
Will code C# for brrraaaaaaiiiins!

 

From The Brrrraaaains Dept. Although the title might sound like a weird crossover episode between Big Bang Theory and The Walking Dead, I had a super scary experience with Service Store this week. All of a sudden people attributes had disappeared from a client development environment and everyone was biting their nails the problem would propagate into production. Even the built-in People Attributes; Security Questions and Answers, had disappeared from all users when you went to their Attributes tab. What was even worse; services were failing left and right – specifically those which used any reference to #Subscriber(personattribute) or #Requester(personattribute). Looking directly into the OR_PeopleAttributes table, via SQL Studio I could see my attributes were still intact, alas something was making the ServiceStore act all gnarly and puke dayglo, while everything else seemed to work normal.

At this time of writing, I have only experienced this problem with the latest ServiceStore 2015 FR2, Update 2 AKA (8.2.2.0). I do not know if earlier versions of Service/IT store are affected. And yes, this has been reported to the Merry Men of RES Support. You’ll probably notice a new KB article over the next few days until engineering devises a fix for this.

errattr

I’ll spare you the long trials and tribulations I went through to nail this bug down over the course of a night, with only a pot of coffee and Radio Paradise for company. Let’s cut to the chase:

The problem is specifically with certain People Attributes you may define: It would appear if you define a Person Attribute of the TABLE type, with more than 6 columns defined, the problem will manifest itself at some point and your people attributes will be zombified. What specifically triggers it, is not exactly clear, however I suspect it would be when a WFA (WorkFlow Action) references the attribute. I was able to manually trigger it in a new clean database by importing a buildingblock containing the offending attribute and a dummy service.

The good news is that until the software engineers fix the problem, it is relatively easy to get rid of: Go and either delete the table Person Attribute from your Data Model, or edit it down to 6 columns or less. The moment column #7 is deleted and the table definition saved, all the hidden people attributes would re-appear.

So, now we know what we’re dealing with, allow me a moment to spin my thoughts on this: The table objects were originally created to cater for MDM, like registering something a user might have more than one of, such as mobile devices, tablets etc. Typically 4-5 fields were used for Device type, Model, Carrier, Phone#, etc, thus I can only muse that more than 6 columns might never have been attempted duing test – that is until your friendly neighborhood blogging-bull came charging through the china store and created a table attribute with 14 columns.

This concludes the alert/early warning. As mentioned, RES have already been notified, so hopefully this article will be obsolete soon.

 

New Technote: Webservices & Automation Manager

Animated, Gears, boxFrom the Technotes-R-Us Dep: Today I have the pleasure of sharing a new article based on some preliminary work I did for a couple of clients who are looking to integrate SOAP based web-services into RES Workspace Manager. I put together a simple demo that show how to use SOAP calls to pull a live weather report from major airport cities around the world. If you can make that work, you can do pretty much anything from configuring a firewall, set up infrastructure or even process creditcard payments.

This is the first of a two-part article, where we next time will look at wrapping a service around the module and learning a few nifty tricks on how to deal with value dependent dropdowns.

doc-icon2<<< Click here to read part one

doc-icon2<<< Click here to read part two

Automated XenDesktop 7.5 Build with RES AM

By Max Ranzau

 

From the BuildingBlock Dept. You may recall a couple of years ago that I published a RES Automation Manager buildingblock for Citrix Xen Desktop 5.5, XA and PVS.  Today it’s my pleasure to publish a new buildingblock that will do the same for Xen Desktop 7.5. It’s pretty slick, as it hardly needs any configuration or special prerequisites and allows you to choose all the install options for Xen Desktop.

mr-jMy friend and co-blogger Mr. Jeroen Speetjens from the Netherlands has been kind to share this with the RES community. You folks over at Citrix might also want to take note of this work. In order to use this buildingblock, all you need is the Xen Desktop ISO and a fresh Server 2008 or 2012. Deploy a RES Automation Manager agent to the target server, then import and schedule the module. The module contained in this RES Automation Manager buildingblock will configure everything else you need.

res_am_fileshareWhen you import the buildingblock, you will be prompted for the path to the contens of the XD .iso file, as shown on the screenshot below It is recommended to either mount it somewhere and share it, or copy all the files out of the ISO to a share. Either way, it’s about 2GB and you don’t want to add that as a AM resource, not that Automation Manager can’t handle it, it’s just a hassle next time you’re updating the binaries when you have a new .iso.

XD75_01When you schedule the module to the target server, the module will prompt you for what kind of installation you want. After that it’s off to the races: The average deployment time is about 10 minutes on a target system with SSD’s.

Note: If you decide to download this AM buildingblock and take it for a spin, I kindly ask you to take a moment to comment your feedback below and send thanks to Jeroen for his efforts.

Click the brick as per usual to download the buildingblock:  legobrick-cropped

Remember: RESguru.com is still the number one place to get noticed if you are doing cool stuff with RES: If you’ve got something to share – the guru community cares!

Fixing IE cookie trouble with RES WM

By Max Ranzau

 

delcookiesFrom the Worlds Greatest Browser (Right…) Dept: In Internet Explorer 10 and up, the WebCacheV01.dat file was introduced. This file lives in %LocalAppdata%\Microsoft\Windows\WebCache. The webcache folder is hidden. The issue at hand is that the webcache file is always in use, which makes for a rainy day if you try to roam/copy IE cookies, or otherwise store them with RES User-Settings. The issue was described back in April by Rob Beekmans on his blog here.

As of now, the problem is rumored to have been addressed by Microsoft on Server 2012, but is still very much alive and kicking on Server 2008, which at the time of writing still represents a large contingent of server deployments out there.

While Mr. Beekmans illustrated the issue, my partner-in-crime the good Mr. Aarts tackled the issue head on, providing a neat and shareable solution with the RES community in the shape of a Workspace Manager buildingblock. By running a couple of strategic Powershell scripts in the users session and including a couple of extra (freeware) utilities as custom resources, the buildingblock solves the problem described above. The Workspace Manager BB includes the following:

  • A PowerShell command to set the PS execution policy to unrestricted to make sure we don’t get any unnecessary prompts when running the following items unattended:
  • A PS script running at logoff, which backs up the current webcache to a location of your choice *1). The script will create two backup .zip files for the two folders WebCache and INetCookies as well. The script will also leave 5 rotated backup file sets.
  • A PS script running at logon to restore the latest backup of these two folders to their original location
  • Both logon/logoff scripts closes all open file handles before making the backup/restore operations.
  • 7zip and SysInternals Handle64.exe are included as RESWM custom resources.

As you may infer, the above essentially extends the WM User Settings with a basic Hybrid Profile – style copyout-copyin script system. This is necessary, as UserSetting would face the same issue as any other UEM; that the target files are locked. I’d say there’s a loud and clear feature request waiting to be implemented here that could solve a lot of potential headaches for customers.

script1Important: As you can see on the screenshot, there is a couple of places you may need to modify the logon/logoff scripts. The destination where the backup files are to be stored defaults to H:\ – you may need to change that. If you already are using a UNC path like \\server\share\%username% for your User Settings, you perhaps want to consider using that as well. Just remember to add a subfolder for this, like \\server\share\%username%\IEbackup or similar. We could of course have added an environment variable so you only had to change the storage destination once, however it’s two edits. Chances are you may survive it :)

Click the brick to download the buildingblock: legobrick-cropped

Automated VDI Optimization

legobrick-croppedFrom the BuildingBlock Dept. Here’s a set of buildingblocks for Automation Manager I’d like to share with you. They have kindly been provided by my co-blogger Rob Aarts. Rob asked me to go through the buildingblock and we agreed to document the result in an article. This collection of modules is very useful when implementing best practices for a Windows 8.1 golden image.

doc-icon2<<< Click here to read the article

 

 

New technote: Guide to Environment Variables

Animated, Gears, boxFrom the WhereDoesHeGetThoseWonderFulToys Dept. It took a while to get the whole thing stood up, but here it is, a complete and current (as of Workspace Manager 2012 SR2) overview of all RES Environment Variables. The guide also covers known system environment variables and references how these tie into a RES managed environment. Finally the guide also includes buildingblocks a couple of small diagnostic tools that will show the current values of the variables within a session, without using nor exposing the Command Prompt to the users. Enjoy!

doc-icon2 <<< Click here to open the Guide.

Getting rid of a Explorer folder problem

By Max Ranzau

From the Hexbags and Spells Dept. One really annoying explorer behavior which seems to recently have been making its rounds on Win7 x64, is an error which typically appears when you either drag and drop move things around in desktop folders or just create a folder somewhere using explorer. The errormessage which often comes out of the blue is “Could not find this item” <new line> “This is no longer located in <path>. Verify the item’s location and try again.” This addition to the Technote Library shows you how to defeat it with RES Automation Manager and as usual a BuildingBlock is included

doc-icon2<<< Click here to read the technote

 

 

Defeating a live virus/trojan infection with AM

By Max Ranzau

 

From the Crush, Kill & Destroy Dept. This is an aricle about using RES Automation Manager to defeat a live virus infection and cleaning up the colatteral damage afterwards, in case you’re dealing with many computers. With the help of others, I’ve put together a solution, as well as providing some valuable generic takeaways, like how to change special permissions in the registry and how to use the Windows PendingFileRenameOperations queue from within Automation Manager.

doc-icon2<<< Click here to read the article.

 

New Tool: GPO to RES Converter

From the Community Hero Dept. One of the things I state over and over, is that we're our own worst critics here at RES Software. While this is good thing, yammering about stuff, is one way of getting things changed. Another approach is actually DOING something about it yourself. This is the reason why I want to highlight a really nice tool, called ImportGPO – which my good friend and colleague, Dennis Raemakers has developed on his own. Today I'm proud to be able share it with the RES community at large:

The ability to read the given configuration information stored in GPO's and import it into the RES Workspace Manager, has been a long sought after feature. This is exactly what this tool does and a bit more! While there are other tools out there, such as the previously covered VEToolkit, which does similar – the more tools of this kind enriches the RES community resource pool. Either way, the advantage of exporting the GPO's themselves is that they contain the whole picture, not just the resulting set o settings being applied via the .POL files. The ImportGPO utility works like this:

  1. First go to a Win7/2008 box and start your Group Policy Management Console, for example by running GPMC.MSC
  2. Now navigate to the policy which you want to convert. Go to the Settings tab
  3. Rightclick and chose "Save Report.."
  4. Chose to save the report as .XML format (not .TXT) This is important.

Just do it like shown above on the right, where I've used the Domain Default policy as an example.

Once you got the XML export of the given GPO, it's time to fire up the ImportGPO utility, which can be downloaded further down.

In the tool, you want to use the Import XML file button on the right and get the report you've just created into the tool. Once imported, there is a couple of things to know about what you're looking at. All settings in RED are disabled settings. With the checkboxes at the bottom of the screen you can chose to hide disabled settings. You can also decide not to export disabled settings. You might also see some settings appearing in BLUE. These are HKEY_LOCAL_MACHINE based settings. The tool will export both HKCU and HKLM settings as seperate .reg files, which you now can import respectively into Workspace Manager and RES Automation Manager.

The tool also supports GPO's for Folder Redirection. This means if you have a policy which specifies that some shellfolders (such as Desktop or MyDocuments) should be living somewhere else, you can export this to a BuildingBlock that will import directly into the Folder Redirection node of Workspace Manager 2012 (yes, only this version and up). If you import a GPO file which contains any folder redirections, an asterix (*) will flash on each side of the Folder Redirection tab in the tool. All you need to do is go there and select which shellfolder redirections you want to include.

One important thing is the checkbox to enable the Folder Redirection node at the bottom of the tab. Enabeling this box, will instruct Workspace Manager to turn on the Folder Redirection feature under Composition | Actions by Type | File and Folders | Folder Redirection when you import the BuildingBlock. Only do this when you are absolutely sure the paths are valid and sound, otherwise first review the redirection paths in the Workspace Manager console. Also, if you uncheck a given redirection policy, it will still be exported to the BuildingBlock, but will be disabled per default. This concludes the walkthrough of the ImportGPO tool.

Download the ImportGPO v0.3 tool here – This package contains a couple of sample GPO xml exports as well, one for some generic HKCU based settings, and one that contains folder redirection settings.

This is a tool in development and provided as-is. There is good things to come – Stay tuned! If you have ideas or feedback to Dennis on the ImportGPO tool in the meantime, feel free to comment below.

Enjoy!