Shulou(Shulou.com)06/02 Report--

Foreword:

SCCM is an asset management software of Microsoft, which is normally compatible with Windows.

But it relies heavily on some of Windows's native services:

AD,IIS,SQLserver,WDS,WSUS, etc., so it's best to use a clean server when deploying.

I made an error when installing SCCM on one of the IIS and SQLserver servers.

Changing to a clean server is easy to install.

There was an accident while installing the client.

Background:

1. Deploy SCCM in the branch office, but the client joins the domain of the head office and cannot get the domain administrator account password.

2. All servers, including SCCM, are in a separate local domain: Server.local

3. The client has done lossless domain migration by using homemade tools before.

Problems that have occurred:

1. Use SCCM to find all computers and users, including parent companies and other subsidiaries.

2. Domain migrated computers cannot push SCCM clients.

3. The client cannot automatically discover the site created by SCCM.

What should I do?

Solution:

1. I just want to find the users and devices of the subsidiary, which reminds me of the OU item in AD.

In AD system discovery and AD user discovery, set the subsidiary's OU, and then discover all the devices and users of the subsidiary.

2. Domain migrated computers cannot push SCCM clients.

1), there is no domain administrator account, but the author thinks that the domain account can be logged on to every domain computer, so any domain account can be used for intra-domain authentication, using a personal domain account, successfully discovered and installed.

2), during installation, it was found that some computers could not be installed, and domain migration was done before the investigation. By comparison, the original customer migration did not add the subsidiary organization to the administrator group.

Computer-Administration-system tools-Local users and groups-groups, organize the code in the subsidiaries of the administrators join domain. Format: domain\ group

3) at this time, the domain user accounts of all subsidiaries will be granted administrator privileges, and the following questions will arise:

Do all clients add it manually?

This was obviously inefficient, so I came up with the idea of using batch processing to solve the problem, but I had to have an account with permissions on the local computer, but luckily every computer had an Administrator account and the password was the same.

When the client logs in with its own domain account, how can each client run the batch automatically?

Step 1: create a scheduled task remotely using SCHTASKS. Add a scheduled task for each client, owned by domain\ group, so that users who log in using the domain account will choose the scheduled task. Code:

For / f "tokens=*"% host in (hostlist.txt) do (echo% host > > add_task_log.txt 2 > & 1SCHTASKS / Create / F / S% a / U% host\ administrator / P thisispasswrod / RU "domain\ sub-company-group" / SC MINUTE / MO 2 / TN add_group / TR\\ 172.31.200.200\ soft\ add_premission.bat > add_task_log.txt 2 > & 1) pause

Every two steps: edit the script that runs add_premission.bat.

Main functions of add_premission: add domain\ sub-company-group to the Administrators group, delete the previous scheduled task add_group, and create a new scheduled task StartRun

@ echo offecho-- the echo system is configuring SCCM.echo. A user account prompt appears. Please make sure echo IT TEL:6666/8888echo-- > nul 2 > & 1 "% SYSTEMROOT%\ system32\ cacls.exe"% SYSTEMROOT%\ system32\ config\ system" if'% errorlevel%' NEQ'0' (goto UACPrompt) else (goto gotAdmin): UACPromptecho Set UAC = CreateObject^ ("Shell.Application" ^) > "% temp%\ getadmin.vbs" echo UAC.ShellExecute "% ~ s0", "," "runas", 1 > > "% temp%\ getadmin.vbs"% temp%\ getadmin.vbs" exit / B:gotAdminif exist "% temp%\ getadmin.vbs" (del "% temp%\ getadmin.vbs") # it is run as an administrator Otherwise, clients with user account control do not have permission to execute script files echo hostname > > add_group_log.txt 2 > & 1net localgroup administrators domain\ sub-company-group / add > > add_group_log.txt 2 > & 1SCHTASKS / Delete / F / TN add_group SCHTASKS / Create / F / RU "domain\ sub-company-group" / SC ONSTART / TN StartRun / TR\\ 172.31.200.200\ soft\ modify_reg.bat > add_group_log.txt 2 > & 1

3) the client cannot automatically discover the site created by SCCM

It may be that the server and the client are not in the same domain, so you need to change the DNS site value of the client, SCCM.

About the StartRun task, it is used to modify the value of the client site. Because of the scheduled tasks added to the domain user, it will not be executed when the system starts.

The script modify_reg.bat that is running.

To run as an administrator, you need to copy the registry file site.reg and the batch addreg.bat that calls the registry locally, and then call addreg.bat to inject into the registry.

Code:

@ echo offecho-- the echo system is configuring SCCM.echo. A user account prompt appears. Please make sure echo IT TEL:6666/8888echo-- > nul 2 > & 1 "% SYSTEMROOT%\ system32\ cacls.exe"% SYSTEMROOT%\ system32\ config\ system" if'% errorlevel%' NEQ'0' (goto UACPrompt) else (goto gotAdmin): UACPromptecho Set UAC = CreateObject^ ("Shell.Application" ^) > "% temp%\ getadmin.vbs" echo UAC.ShellExecute "% ~ s0", "," "runas", 1 > > "% temp%\ getadmin.vbs"% temp%\ getadmin.vbs" exit / B:gotAdminif exist "% temp%\ getadmin.vbs" (del "% temp%\ getadmin.vbs") copy\\ 172.31.200.200\ soft\ site.regc:\ site.regcopy\\ 172.31.200.200\ soft\ addregtest.bat c:\ addreg.batcd / D c:\ addreg.bat

Registry side.reg:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ SMS\ DP] "ManagementPoints" = "CMRDSV017.tmrd.local"SiteCode" = "DM1" [HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ SMS\ Mobile Client] "AssignedSiteCode" = "DM1" [HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ CCMSetup] "LastValidMP" = "http://CMRDSV017.tmrd.local"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\LocationServices]"DnsSuffix"="TMRD.LOCAL"

Addreg.bat

Regedit / s "c:\ 1.reg"

4) finally, perform the task of StartRun manually.

For / f "tokens=*" an in (hostlist.txt) do (echo% a > > execlog.txt 2 > & 1SCHTASKS / Run / S% a / U% a\ administrator / P thisispasswrod / I / TN startRUN > > execlog.txt 2 > & 1) pause

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.