Squiggle dot org

When using Windows SIM (System Image Manager), which is part of the Windows AIK (Automated Installation Kit) you might run inthe the the following error when you try and load a .WIM image…

“Windows sim was unable to generate a catalog”

Chances are that you are trying to open a .WIM image from the $RemoteInstall share. In this folder structure the WIM’s are slightly different as they incorporate metadata and a .RWM that contains the image data. The easy way around this is to fire up the Windows Deployment Services MMC, then find the image, right click and export to somewhere else. You should then be able to create a catalog using the newly exported .WIM.

Another of my little Windows 7 deployment annoyances has been the fact that windows media player is pinned to the new taskbar by default, and with windows 7, it’s not possible to programmatically add or remove pinned items from the taskbar.

After a while of script hunting for something that might get around this, I found out that there is an option that can be used in the unattended xml file will stop it from being automatically added!

In windows system image manager, add the following under phase 7 (OOBE):

   Windows shell setup >> Windows Features >> ShowWindowsMediaPlayer >> false

Over the last few days, I have been having a lot of problems trying to write Lotus Notes .NET applications in Windows Vista. I had no problems writing the apps under XP, but since upgrading I kept getting error messages like “Unable to find user id file” when trying to initiate a Notes Session. The problem was with Windows Vista Virtual Store!

Installing Lotus Notes on Windows Vista, seems to be a normal installation. But when you launch Lotus Notes for the first time, it will start to write the notes.ini file and your id file (plus some other user related files…) to the following location: C:\Users\username\AppData\Local\VirtualStore\Program Files\lotus\. I never realised this before, until a colleague told me that Lotus Notes wrote files to this folder! With Lotus Notes writing to this folder, it made my .NET applications stop working!

The way to fix this, is to browse to: C:\Program Files, right click on “lotus”, go to the security tab and Edit the permissions for “Users” to Full Control. Apply the security settings. If you then copy the lotus folder from the VirtualStore to the normal Program Files folder, you will not lose any of your setting:

Copy: C:\Users\username\AppData\Local\VirtualStore\Program Files\lotus\ To: C:\Program Files

You should now be able to delete the lotus folder from the VirtualStore (or just rename the lotus folder to lotus.old if you are worried about losing the data – this would be useful to see Lotus Notes recreates the folder in the VirtualStore).

Lotus Notes should now not use the Virtual Store, and your .NET apps should run without any error.

When creating a some system inventory groups in Altiris, I noticed that it didn’t seem to be collecting information for certain exe’s that had been deployed onto the system.

After a bit of reading, I found out the the software audit scan can run in two modes… Package and file mode. In package mode, it only reports on a single exe from each package, which makes reporting faster and keeps your Altiris database much smaller. This is what runs from a vanilla installation. The second type of can is file scan, where every exe is audited, you can set this by editing ‘AeXInvSolnAdm2.ini ‘ in the NSCap folder to run the following:

AeXAuditPls.exe /file /hidden /output xml

You’ll have to wait a day or two for all your systems to re-run the inventory, but after you should be able to report on alot more!

From time to time you’ll come across the problem where a system’s machine account in active directory has either become out of sync (Usually due to multiple systems with the same name) or has just been deleted somehow! Telltale signs of this are errors about domain’s being unavailable, and trust relationships failing whenever the system tries to perform any authentication. In these situations you can usually log in as a local administrator, unjoin/rejoin the domain, then reboot and the problem is sorted.

However, this isn’t so easy if you aren’t in front of the system (which is often the case), although it is possible to do:

First you need to locate the IP address of the system (Names will be unreliable if you’ve got multiple systems with the same name!). The best way to find the IP is probably from looking at DHCP leases on your DHCP server. Once you have the IP address, run regedit.exe on another system, then from the file menu select ‘Connect remote registry’. In the following box, connect to \\<IPaddress>. You should then be able to log on to the system as the local admin user (SYSTEMNAME\Administrator), you should then be able to navigate to:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

In this key, look for the ‘fDenyTSConnection’ value, and set this to 0. This should enable remote desktop if it isn’t already, you’ll need to reboot in order to enable this:

shutdown -m \\<IPAddress> -r

Once the system has rebooted, you should be able to remote desktop to it, log in as the local admin user, and rejoin as if you were in front of it. Although if it was a case of multiple systems with the same name, don’t forget to give it a unique name!

I should also point out that if it was a deleted computer account, you could always restore the object in AD, but that’s another story…

If you’re having a problem where collections on your Altiris server are not updating, despite them being set to Membership update: automatic, and the options in ‘Configuration > Server Settings > Notification Server Settings > Automatic Collection updating’ are correctly set…. Take a look at the scheduled tasks on the server… Ours weren’t updating, turned out it was due to the scheduled tasks trying to run with invalid credentials.

In previous versions of Windows, we could install the Windows Server 2003 administration/management tools in order to perform administration tasks on remote servers from your workstation. With Vista these tools kind of install, but don’t fully work. Luckily with Vista SP1 Remote server administration tools (RSAT) is now available as a MS download.

RSAT – 32-Bit version (KB941314)
RSAT – 64-Bit version (KB941314)

Once installed, you won’t see anything new on your system… All the installer does is add some new entries in the windows features list. To fully enable them goto ‘Control panel’ > ‘Programs and features’ > ‘Turn windows features on or off’… You should hopefully see an entry in here that you can tick to install them.

I don’t understand why the isntaller doesn’t just automatically turn the feature on if you’re installing it anyway, but it doesn’t bother me that much – it’s not like i’m rolling this out to hundreds of users!

If you’re rolling out Vista to client systems using MS WDS (Windows deployment services) it’s quite useful to ‘inject’ drivers into the image, so that Windows recognises extra devices from the start.

You’ll need the Windows AIK (Automated Installation Kit) installed in order to get the tools required – It’s a free download from Microsoft.

The first thing to do is mount the .wim image. From the start menu, open a Windows PE tools command prompt, then use the following command:

imagex /mountrw "d:\path\to\install.wim" 1 C:\mountDir

This will mount the image into c:\mountDir (You’ll need to have this dir created beforehand remember!). Now that the image is mounted we can inject drivers into it, you’ll need to have the drivers in a directory, and they must contain .inf/.cat files etc. A standalone .exe or .zip won’t work here! Inject them like this:

peimg /inf="d:\path\to\drivers\*.inf" C:\mountDir

This should go through all the inf files in your drivers directory and inject them into the image, now we need to unmount and save the changes to the wim image:

imagex /unmount /commit C:\mountDir

At this point the .wim image is updated with the drivers, and it’s ready to be stuck on a WDS server for deployment to clients!

To keep active directory clean of old computer accounts, I run a script on a monthly schedule that finds computers that haven’t sync’d passwords for their machine accounts in 120 days or so. It also does some other clever stuff like working out which user the system belonged to, and if they have a new system, then emails the output and action is taken appropriatly (I doubt many people want auto-deletions of system accounts!).

Someone pointed out to me that a very old system wasn’t getting picked up by the script, so I had to do some debugging…

Running Microsofts AD LDAP browser (adsiedit.msc) let me find the system in question, and looking at the properties of it there was a value for ‘pwdLastSet’, but it wasn’t in a standard date format. After a bit of research, it turns out that this is in the Integer8 format,  this is a 64-bit / 8 byte number that stores the date/time in 100nanosecond intervals. Great. But when the hell was ‘128509137717192405′ ?!

Easy… You can convert a Integer8 date format by using the ‘w32tm’ command….

Z:\>w32tm /ntte 128509137717192405
148737 10:16:11.7192405 - 25/03/2008 11:16:11 (local time)

So that explains why the system wasn’t appearing in my old systems list, it had sync’d passwords only a couple of months ago.

If you’ve got a directory on a system that you don’t want the Altirs inventory solution to process when the software inventory runs, it’s quite easy to get it to exclude it. For example, A SAN volume that is mounted as a local disk on a server with userfiles on might cause the fileserver to incorrectly appear in custom inventory collections because of this.

You need to locate the the ‘auditpls.ini’ file in the inventory package on the Altiris server, and add an additional EXCLUDEDIR line under the [LOCALMACHINE] heading, then update the distribution points for the package. Hopefully your clients running the inventory agent should download the updated ini file when they next check in, and next time they run the scheduled inventory the exclusion will be taken into consideration!