Deploying agents on Windows operating systems

The first step, when we want to install an application is to download the latest version. We head over to the official OCS Inventory NG website and locate the latest Win32 agent binaries in the archived format in the Download section. At the time of writing, the latest final version of the agent is 1.02, also known as internal version 4.0.5.4.

The archive is named in the following way: OCSNG_WINDOWS_AGENT_1.02.zip, where the last digits stand for the version number. Its size is around 2.5MB. Once it is downloaded and extracted, we find the following files:

  • ocsagent.exe: Installs the standalone agent
  • OcsAgentSetup.exe: Launches the installation wizard (service type)
  • OcsLogon.exe: Downloads the binaries from the communication server, or if it's already installed, the agent is launched again (it can install both types)
  • Changelog: Contains the change log of the latest modifications
  • LICENSE.txt: The GPL v2 License

There are various command-line arguments that are supported, which are discussed in the next section.

Getting familiar with command-line arguments

At first, we have the OcsAgentSetup.exe. It's the installation wizard. Under normal circumstances, we just follow the installation steps, and the agent is set up seamlessly. However, we can use one or more of the following wizard-specific argument switches:

  • /S: This option is used to execute silent mode as this disables user interaction.
  • /UPGRADE: This option upgrades the service agent (if an upgrade is needed).
  • /NOSPLASH: This option disables the splash screen.
  • /NoOcs_ContactLnk: This option eliminates the Ocs-Contact link from the Start menu.
  • /D=path: This option is used to specify a custom install folder, quotes are not supported
    • Warning: This must be the last parameter (if using more than one).

    Note

    At this point, do not worry if some of the command-line switches seem confusing. We're listing all of them for future reference. As progress is made, each one of them will be debunked and discussed in detail.

Besides the aforementioned switches, all of the command-line switches of the agent are also supported, which are listed as follows:

  • /server:name_of_ocs_server: Specifies the name of the OCS management server.
  • /np: No proxy, disables the proxies defined in the Internet Explorer settings.
  • /pnum:XX: Here XX is the port number via which HTTP communication is possible and the web server can be contacted. In the case of caching proxies (that is Squid) that could be 3128 or other proxies on 8080.
    • By default, port 80 is used (use this option to specify other ports).
  • /local: This option executes the agent in the local inventory mode. It gathers and saves the inventory data in a [hostname].ocs format in the agent folder.
    • The results are stored in a compressed XML format.
    • The agent does not try to contact the OCS-NG communication server.
  • /file: This saves everything just like using the /local tag, but it contacts the communication server. This one is useful when we need the file for future use.
  • /xml: Just like the previous one, it creates a file but in a non-compressed XML format.
    • If used in conjunction with /local, the agent won't contact the server.
    • If used without the /local tag, the agent contacts the communication server.
  • /nosoftware: When this option is used, the agent will not report the installed software.
  • /notag: When this option is used, the agent will not require the TAG value.
  • /tag:my_tag: Here my_tag stands for the custom-specified TAG value.
  • /hkcu: The agent looks into the HKCU registry hive for installed software.
  • /debug: A useful command which enables logging. A file called [hostname].log will be created.
  • /force: When this option is used, the agent will be forced to send in the inventory data.
    • This is required when the database needs to be updated right away, and we cannot allow waiting for the frequency countdown again.
  • /uid: When this option is used, the agent generates a new user ID.
  • /dmi: When a computer serial number cannot be retrieved through WMI, the agent will opt for using DMI tables via the BiosInfo.exe tool.
  • /biosfunc: Just like the previous switch, but it forces the agent to use BIOS functions
  • /conf:configfile: Here configfile specifies the configuration file.
    • By default, the Ocsinventory.dat is taken as the configuration file.
  • /test: This argument tests the HTTP connection.
    • It is meant to be used in correlation with /debug, /np, or /pnum.
    • If all goes well, an ok.ok file is created in the agent's directory.
  • /fastip: In this way, the agent checks only five IPs if elected by the server as the IPDISCOVER host. This tag should never be used for production use.
  • /ipdisc:X: This mode forces the agent to run the IpDiscover feature on the network number X, but only if the server asks for an inventory.
    • To ensure that it is going to be executed, it needs to be used with the /force tag. In this way, the agent will contact the server and perform the aforementioned steps.

In addition to the already extensive list of command-line switches, we need to add a few more command-line switches, which can be used with the OcsLogon.exe launcher:

  • /DEPLOY:XXXX: This switch specifies the agent version number
  • /INSTALL: This one picks the service agent type instead of the standalone
  • /PATH:path: This option specifies the installation path

Manual installation strategies

Both agent types can be installed manually. The setup wizard installs the service type.

In the beginning of this chapter, we were given a hint of what to expect. The manual installation sports a standard Windows installation wizard. Of course, you can opt for command-line switches in order to enable its silent mode, but let's not get ahead of ourselves. Assuming we have downloaded and unpacked the latest stable version of the OCS-NG agent for Win32 operating systems, we then execute the OcsAgentSetup.exe file.

The following screenshot shows the first screen of the setup wizard.

Manual installation strategies

The next screen should not surprise anyone. The license agreement will be displayed inside that textbox. In our case, the license is the GPL v2.

Manual installation strategies

After accepting the license, the next screen finally shows some options.

Manual installation strategies

The first field to fill in is the Server Address of the OCS-NG management server. The second field, that is, Server Port, requires the HTTP port through which it can be accessed. The checkboxes stand for those command-line switch arguments we enlisted earlier. Then, there's an entire field left for Miscellaneous arguments.

In the example mentioned, we have selected the Enable log file, Immediately launch inventory, the No OCS_Contact shortcut link, and added the /NOSPLASH tag. The OCS_Contact shortcut is a shortcut that appears in the Windows start menu. It points to %PATH%\Ocs_contact.exe /S and has the following shortcut icon. It is a harmless shortcut, but some people might not like it due to the presence of a new application on their machine. On an enterprise level, silence is required. The OCS_contact shortcut can be seen in the following screenshot:

Manual installation strategies

Now that we have configured the agent according to our needs, we can click Next. The wizard proceeds to ask us for the destination path. Here we either browse to specify a custom path or just hit Enter by moving forward—leaving the default %ProgramFiles%\OCS Inventory Agent folder. The size of the fully-installed agent is 3.40 MB.

Once the wizard has finished the installation, you can check whether the service was installed. Here's one way we can check this. Go to Start | Run | services.msc, browse through the list of services, and find OCS INVENTORY SERVICE. Its Description is OCS Inventory NG Service: Automatic inventory and software deployment system. If all went well, it should already be Started (at the Service status). Its Startup type is set to Automatic.

Should we examine the Properties of the service, we will see a screen similar to the following screenshot:

Manual installation strategies

We have selected the Immediately launch inventory checkbox during the setup, so this means that, by now, our system should be inventoried and the management server has provided us with the gathered data. We can check the [hostname].logfile located inside the agent's directory. All of the tasks carried out are verbosely logged and are self-explanatory.

Should we want to execute an unattended installation of the wizard, we will use the silent command-line argument (/s). Everything will go smoothly as long as we specify all of the other necessary parameters (like server name, port number, no proxies if need be, and so on).

OcsAgentSetup.exe /s /server:name_of_OCS_server /pnum:80 /np /now /debug

Nevertheless, if we want to install the standalone agent, then we are going to use the other manual deployment solution. We will execute the OcsAgent.exe executable along with the /local argument. The setup will try to install the agent to the C:\ocs-ng directory. If it does not have sufficient privileges, then it tries to install the agent in the temporary folder of the user, under which it is executed. Thus, it is advised to launch it with administrative rights.

The setup of the standalone agent will ask where to store the exported inventory results. When we are launching for the first time, the wizard will ask us to specify the TAG. Unless we want to use TAG-based categorization, we can leave this field empty. Chapter 4, Finding your Way through OCS-NG Features will look into TAG repartition. Now, let's leave it blank just for testing.

The standalone agent can be rerun later on using the Ocsinventory.exe /local execution. This means that we can set up a schedule or make an unattended script for those machines that are not networked, and on which the standalone agent is the only solution. Then, we will refresh the inventory after a certain period of time, and manually import the result files.

Using OcsLogon.exe to deploy via GPO or login scripts

In order to understand how this remote agent deployment solution works, we first need to explain what OcsLogon.exe is about. It is a launcher tool. It is basically designed to work inside login scripts and Active Directory Group Policy Objects (GPOs). Once executed on a client machine, it checks whether the agent is installed or not. If not, it then proceeds to install the agent. Otherwise, the agent is just launched.

The launcher downloads the latest binaries from the communication server if it finds out that the agent is not installed on the client machine. The launcher can set up both agent types. The only way to differentiate between these is by using the /install command-line switch. By doing so, we are opting for the service type agent. On the contrary, the standalone agent is set up.

The way it contacts the communication server is described here. At first, it is assumed that we should have the ocsinventory-ng DNS name defined in our DNS server. That hostname should point to our OCS-NG central management server (also the communication server, or tune it appropriately in case of distributed configurations).

There is another solution to provide the path to the communication server if we do not plan to add that DNS name within our scopes. The OcsLogon.exe executable can be renamed so that its filename (excluding the .exe extension) points to the OCS server. It can either be called as the server's correct hostname if it appears inside DNS and can be resolved appropriately or by simply using the IP address. Here are a few examples:

  • ocs-server.mydomain.co.uk.exe
    • The ocs-server.mydomain.co.uk points to your OCS server
  • 10.10.10.05.exe
    • In this case, the 10.10.10.05 is the IP address of the OCS server

As you can see, the launcher will strip off the .exe executable part and consider the rest as the path to the server. Therefore, let's not forget to name this file accordingly, if we cannot set up the DNS ocsinventory-ng to point to our OCS server, and, of course, if we plan to use the launcher to remotely deploy the agent on client machines.

Note

Memory refresher: The OcsLogon.exe launcher supports all of the command-line switches we mentioned earlier. Please go back a few pages, when in doubt.

Now that we know how the OcsLogon.exe launcher works, let's find out how the dedicated agent packager works. Right after that, we need to discuss the preliminary steps of getting the agent uploaded on the communication server. This can be done via the administration console. Either kind of service type can be installed as command-line switches are supported. It all depends on the agent package you prepare for deployment.

Using the packager to create the deployable agent

The development team behind OCS-NG created a so-called OCS Inventory NG Packager utility. This tool works together with the Windows service internals and is able to register anything as a service, even without administrator privileges. The admin account is specified prior to creating the package. The installer will run under that account. It was designed to package the OcsLogin.exe launcher according to your agent preference.

Once the package is installed, it's called OcsPackage.exe, and it means that we can hook it up on the OCS-NG communication server. The final step is deploying the package.

Let's not get ahead of ourselves now. We can download the packager from the same OCS NG repository on SourceForge. Check the following URL:

http://sourceforge.net/projects/ocsinventory/files/OCS%20Inventory%20NG

The latest packager at the time of writing is the 1.02. Download and extract it.

Inside we will find only one executable. Its interface is straightforward.

Using the packager to create the deployable agent

The Exe file is going to be the OcsAgentSetup.exe. We discussed its command-line switches, and we know that it is much more than just a GUI installation wizard. It can be scripted, run in silent mode, with specific commands, and thus, it's exactly what we need.

We can use SSL certificates to check the server prior deployment. This means that clients are given certificates which can act as fingerprints to authenticate the deployment server. This is critical as package deployment and remote command execution is practically an open door for exploits and malicious undertakings. In this way, we can always be sure that the source server of packages is not compromised. Clients can test this themselves.

Finally, the last step, which is the most important one, is that we need to specify the account through which the installer runs. In the case of a domain, this account must have administrative privileges on the local machine to install new services and copy files. As such, it's recommended to create a special account dedicated to this task that has the necessary privileges.

Using the domain admin account is dangerous, but it works (please refer to the Microsoft service security planning guide linked earlier in this chapter). It depends on how the overall security is tightened and monitored. It can be any other account with local administrative rights. The same applies in the case of workstations.

The next window asks for the destination where the packaged end result is placed.

Getting the agent package on the OCS-NG server

The OcsPackage.exe needs to be uploaded on the OCS-NG server. We're going to do this by logging into the administration console. Keep in mind that this time, we won't get into each and every functionality that lies there because that is what the next chapter will cover. Right now we are taking an action-oriented approach.

We point our browser to the OCS-NG administration console interface's URL:

http://ocsinventory-ng/ocsreports

In the previous path, ocsinventory-ng stands for the OCS-NG server name. If we haven't changed our admin user and password yet, then we log in with admin and admin. On the Users toolbar, we can find the predefined users, edit them, and set up new ones. Once we are in, we will navigate to the agent toolbar, it's the fourth icon on the right (the longest) toolbar. It looks like two gears working.

Getting the agent package on the OCS-NG server

Alright, now we're already seeing the path to the source of the package we just created. On uploading the OcsPackage.exe, the agent is practically ready to be deployed.This means that the OCS-NG communication server can serve the requests of agents. Deployment happens in the following fashion:

  • OcsLauncher.exe is executed on the client computer
    • It's the launcher we mentioned earlier
  • It requests the OcsPackage.exe (the agent) from the communication server
  • Once downloaded, the OcsPackage.exe is executed
    • It logs into the specified account and runs the agent installer

As you can see, the OCS-NG Packager can be used to install and set up other files as well. The OcsLauncher.exe just checks whether an agent exists on the client machine. If it finds it installed, it executes it. If no agent can be found, it proceeds to request one from the OCS-NG server, and depending on the specified flags it sets up either of the agent types.

It downloads the entire OcsPackage.exe just as it was uploaded on the OCS-NG server. Therefore, if we want to build in more files, then we can use the Packager's Select Additional Files option to add them. In this way, once it logs into the specified account, along with the OcsAgentSetup.exe, the other files are downloaded to the client machine.

We can also remotely execute Visual Basic script files (.vbs). We add the Cscript.exe path to the Exe file. Add our .vbs script via the Select Additional Files option, and finally write script.vbs /B in the command-line options.

Deployment via Active Directory GPOs

It is beyond the scope of this book to explain what Active Directory is about or what group policies are about. As such, we will assume the following; if we want to use these deployment methodologies, we can deduce that we have some kind of familiarity with these Microsoft administration technologies.

If you are managing such a tiny environment that these concepts are unknown to you, but still want to get your feet wet with remote agent deployment, then we wholeheartedly recommend the PsExec solution that's going to be covered in the following pages.

Here we're going to create a login script and enforce it via group policies.

Now that we're past the general assumptions, let's launch the Active Directory Users and Computers MMC snap-in. Start | Run| dsa.msc. Find your Active Directory domain or organizational unit that you are managing. For the sake of keeping things simple and uniform, let's call our domain mydomain.com. Once you selected your domain, right-click and select Properties.

Out of those tabs, let's navigate to the Group Policy tab. There we can find our policies (if there are any). We can either edit an existing one or create a new one. Whichever option we pick, there are two main categories, namely, computer policies and user policies. The former is computer specific, and in our case, they are executed when the computer starts up. The latter is user specific, and requires some user to log in.

Nowadays, there is a new MMC snap-in called gpmc.msc—Group Policy Management. This tool is installed by default on Windows Server 2008 operating systems but not on Windows 2003 or earlier. This snap-in gives us a slightly more advanced interface. It lists the forest, inside which we can pick our domain mydomain.com.

Here we are going to find our organization units and Group Policy Objects. When we expand the GPO field by clicking on the '-' (minus), all of our policies will be displayed (if there are any). We can also monitor which ones are enforced, which are linked, and so on. This is also the place of security filtering, such as deciding whether the policy applies to specific users, groups, or computers. Under most circumstances, this is Authenticated Users.

Deployment via Active Directory GPOs

Without trying to sound like an Active Directory tutorial, let's focus on how to edit such a policy with this new GPMC snap-in. Right-click on one of the existing policies or create a new one. The Group Policy Management Editor will pop up as a new window. From this point onwards, everything remains the same. We have computer and user policies too.

Scripts that are inside computer policies are called Startup and Shutdown scripts. These are executed on computer startup and shutdown. What matters to us right now is the startup category. That's where we should place the inventory agent.

The scripts that are inside user policies are called Logon and Logoff scripts. The reason for that is self-explanatory, these are executed when a user either logs in or logs off. The agent can be deployed this way too, though in most situations it's not an ideal option.

The following screenshot gives us a sense of where to find these scripts inside the GPO:

Deployment via Active Directory GPOs

Now, let's right-click on the Scripts (Startup/Shutdown) right inside the Windows Settings tree. We pick Startup and select Properties. A new window will be displayed, and we can see our already existing startup scripts (if there are any). Before we head over to add a new script, click on the Show Files button. It will bring up an Explorer window showing the destination where these scripts are located.

This is where we are going to copy our OcsLogon.exe launcher. Let's not forget that there are situations when this file gets renamed. If that's the case, then copy the renamed launcher. Once the file is stored there, you can click on Add on the Startup Scripts window. This will bring up a new window where you can specify the path of the new script. As we just copied there, you can easily specify this.

The command-line arguments can be added to the special parameters field. These are additionally added at the end of the launcher, just like if it were done manually. This means that if we want to install the service type agent, now is the time to specify the /install command-line switch. Also add the /S, /DEBUG, and other parameters.

The following screenshot shows a simplified version of the tasks that were mentioned:

Deployment via Active Directory GPOs

Should we opt for the login scripts instead of startup scripts, it can be done in a similar fashion. Instead of messing with computer policies, we fiddle with user policies.

Keep in mind that deploying scripts via Active Directory GPOs is not the only solution.

Initiating deployment with OcsLogon.exe via login script

At first glance, these two solutions are similar. The previous modality was based on policies. This meant we could enforce different policies on Organizational Units(OUs) based on whatever criteria we wanted. This has given us flexibility, which is necessary in specific cases, but there are those situations when we don't want to use group policies. For example, if we have just one domain, and we're looking for a solution to deploy the agents based on users.

This time, we want to set up a session login script across our domain.

The first step is to copy the OcsLogon.exe launcher to a place on the network that is going to be readable by everyone from the domain. It's advised to set up that location as shared to Authenticated Users. The script that we're going to create will download the launcher from this path. That's why it is critical to be available (readable).

The script can be either a traditional batch file or vbscript. What we want to do is quite trivial. We want to execute the launcher from that path using a few command-line switches.

Here's an example where the renamed launcher is on file-serv at the ocsagent-kit folder:

\\file-serv\ocsagent-kit\10.10.10.05.exe /debug /np /install /s

This line can be thrown into a batch script, with an @echo off in the first line in order to prevent echoing on the display. In this way, no output will be presented, just a flashing command/terminal box at most. The extension must be .bat as expected.

Once the script is done, the next step is to copy into our primary domain controller's scripts folder. This is along the lines of the c:\windows\sysvol\sysvol\<mydomain.com>\scripts path.

Now, fire up the Active Directory Users and Computers MMC snap-in (dsa.msc). Find your users within the domain tree, and then link the scripts to each of them. We can do this by clicking Properties, and then we have the following alternatives. We either set it up as a User Profile | Logon Script: [specify the path] using Browse, or at the Environment tab, we check the box Start the following program at logon and add our script.

As you can see, this modality is much more recommended when there are just a handful of users. We pick those users, set the agent up as a login script, and we are done with it. We can add the creation of response files, such as create ok.txt on some predetermined folder. The script checks whether this ok.txt exists, and if yes, then the agent is already installed, and it is not executed anymore. You can also check this manually.

Command execution, via scripts, opens up lots of doors. In corporate environments, usually there are login and logoff scripts, and users are categorized into different organizational units. We might also have dozens of groups, but it's not that hard to decide which options are better. The best practice is to use a combination of the previously mentioned solutions. Furthermore, we can mix in a little bit of PsExec. This is what we're going to cover right now.

Unattended installation via the PsExec.exe tool

Chances are that we cannot find a system administrator that has managed a predominantly Windows-based environment and hasn't heard about the PsTools suite. This collection of command-line tools is useful to get most of the administrative tasks done. It was originally developed by a Sysinternals, but then it was taken over by Microsoft. Check out the suite's page at:

http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

PsExec is one component of the PsTools package. It's a telnet-like replacement that was specifically designed for remote execution of processes on client computers. It allows full interaction with applications. We can literally launch any command on a remote system, while having the output displayed on our screen. That is, if we have sufficient privileges.

We can download the entire PsTools suite directly from the following URL:

http://download.sysinternals.com/Files/PsTools.zip

It does not require an installation on client machines. We simply download, extract, and fire up a command prompt under administrative privileges, and find the path where we unpacked PsTools. Launch PsExec, and a descriptive help is printed out. Examine its command-line switches. Then decide the kind of deployment you're looking for.

A few examples of how to perform specific deployments are given as follows:

  • Sweep through the domain and deploy the agent on already logged on hosts:
PsExec.exe \\* -s \\file-serv\ocsagent-kit\OcsLauncher.exe /debug /np /install /s
  • Install the agent on a specific computer:
PsExec.exe \\Sarah-PC -s \\file-serv\ocsagent-kit\OcsLauncher.exe /install /s
  • Deploy the agent on a list of computers by using a text file to specify them:
PsExec.exe @hosts.txt -s -u mydomain\domainadmin \\file-serv\ocsagent-kit\OcsLauncher.exe /debug /np /install /s

The previous command will ask for the domain admin password. Nothing will appear, and you will need to type in the password and hit Enter. The hosts.txt should be on the same folder from where you are executing the PsExec. This file is an ordinary text file where each computer name appears on a separate new line.

We can think of various other scenarios. We can log the output into a text file, should we somehow not be able to monitor the output. We can do this by adding the> log.txt at the end of the PsExec command. This copies all the output into the text file. Keep in mind that by doing so, we will prohibit the printing of any output on the display as well.

In the previous section, Unattended installation via PsExec.exe tool, we mentioned a little about the best practices in deployment. Let's say we launch the remote execution of the agent installation during business hours on all of the already logged in users. We will create a response file, monitor the output, and find out the hosts that were offline.

We can also opt to create a text file that contains all of the hosts within our domain (list all hosts into a text file), and then run the command on the file. The results can be printed into a logfile using the> operator. In this way, we will know which computers were skipped. These were, presumably, unavailable. Alright, so what's next?

We set up a logon script via AD GPOs or session login script for those users sitting beside those hosts. The said script should create a feedback that we can monitor later on in order to decide what happened.

Finally, we can also opt to use PsExec's targeted deployment on those specific hosts that were skipped until this point. There are lots of other alternatives as well.

上一章目录下一章