1 / 19

A Scripting Server for Domain Automation Tasks

A Scripting Server for Domain Automation Tasks. Christian Trachimow, DESY. Domain administration tasks. User management delegated to group administrators and „user service“ set passwords, create, move, delete, archive,... Group management define composition System management

johnlbrown
Télécharger la présentation

A Scripting Server for Domain Automation Tasks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Scripting Server for Domain Automation Tasks Christian Trachimow, DESY The DESY WindowsNT Group

  2. Domain administration tasks • User management • delegated to group administrators and „user service“ • set passwords, create, move, delete, archive,... • Group management • define composition • System management • query computers for special properties • license management • different group are taking part of this processes • But: most jobs can be done only with domain admin privileges • Need a server, that holds scripts, controls security and executes scripts The DESY WindowsNT Group

  3. Requirements for a Scripting Server • Scripts should be stored on the Scripting Server • Scripts can be triggered by remote machines • Secure connections with remote machines (Encryption) • Scripts must be run with DA privileges (Impersonation) • Identify which users submits the execution request (Authentication ) • Define which groups are allowed to launch the script (Security control) • Easy way of launching scripts • Logging all operations (Event log) The DESY WindowsNT Group

  4. Why Transaction Server ? • Only used as DCOM repository • Impersonation: can be defined for a package (collection of objects) • Encryption: DCOM network security: „packet privacy„ • Authentication is done by DCOM: NTLM • Easy way of invoking scripts (DCOM) •  Implement a COM object on MTS • Read config file • identify calling user and check if user is allowed .. • Execute script and return standard output The DESY WindowsNT Group

  5. 1 2 Basic Idea Store all script on the tranaction server (MTS) moveuser.pl setpasswd.vbs movehome.pl Edit config file: xml format The DESY WindowsNT Group

  6. 3 Basic Idea (cont.) Define Roles on Transaction Server User Support: desynt\usg desynt\Domain Admins Domain Operators: desynt\Domain Admins desynt\operators User Support Domain Operators The DESY WindowsNT Group

  7. Set obj = CreateObject(„DSH.ExecuteSync“) obj.InvokeScript(„Passwd“, „user1 newpassword“) User Support Domain Operators execute script Basic Idea (cont.) COM object Client / Web Server Tranaction Server The DESY WindowsNT Group

  8. User Support Domain Operators Implementation Load config file by MS XML provider COM object on MTS: Impersonation „GetOriginalCallerID“ from ISecurityContext DCOM: Network: „packet privacy“ Authentication: NTLM COM object COM object Client / Web Server IObjectContext interface provides „IsCallerInRole“ method Execute script redirect standard output to pipe Log activity Tranaction Server The DESY WindowsNT Group

  9. Example • store script on MTS • define role on MTS • configure config file Alias name Script location Role • ActiveX control makes changes in configuration file • write client script / Web interface (ASP) Example: write script / configure server / write client script / call script The DESY WindowsNT Group

  10. Conditional execution • Problem: allow execution only if some conditions are valid • Group administrators are only allowed to set the password of their users, not of all users • Group adminis can remove their computers from the domain • Could be done within the script • Execute „Passwd“, „user1 newpassword“ only if calling user is allowed to manage „user1“ • Condition table defines relationship between calling user and managed object • Defines which management groups are permitted to manage which kind of users, computers or groups The DESY WindowsNT Group

  11. Management definition table • Check if „Calling User“ is in management group and the argument is in a group which is managed The DESY WindowsNT Group

  12. Set obj = CreateObject(„DSH.ExecuteSync“) obj.InvokeScript(„Passwd“, „user1 newpassword“) Who is calling ? COM object The DESY WindowsNT Group

  13. Config File Extension • Types of arguments: • COMPUTERS • USERS • GROUPS The DESY WindowsNT Group

  14. Summary • Script can be stored and executed on the „Scripting Server“ (within Domain Administrator rights) • Define by „role“ who is permitted to launch the scripts • Conditional execution: a table defines relationship between calling user and managed object • Configuration settings can be managed by ActiveX component • Example: configure condition The DESY WindowsNT Group

  15. Asynchronous Execution • Some scripts take a long time to finish • Move homedirectory, archive user data • Web server has timeout interval for ASP pages • The user cannot see, if script was executed successfully Asynchronous execution • submitting a script execution request, method returns an ID • Check status of the execution by ID • In queue / currently executed / finished • Notification after execution has finished The DESY WindowsNT Group

  16. Implementation: MSMQ(Message Queue Server) execution request currently executed finished transaction server Set obj = CreateObject(„DSH.ExecuteAync“) obj.InvokeScript(„Passwd“, „user1 newpassword“,„user@desy.de“, „some text for the body“) The DESY WindowsNT Group

  17. Event Driven Execution • Query computer for special properties • Problem: script fails if computer is not online • Hold script in queue and launch script only if event occurs • Events: „computer is online“, „time is reached“, ... • Other requirements: • retry execution on error • define a time range until execution request will be dropped • notification by email The DESY WindowsNT Group

  18. Implementation: MSMQ check event: „computer is online“ execution request currently executed finished transaction server The DESY WindowsNT Group

  19. Example • Web based domain management The DESY WindowsNT Group

More Related