Hello everyone, I'm new to kix start and I was wondering if I could get some help... I have a problem with computers on our network that weren't syspreped, and they won't register with our WSUS server properly. I have found the following script which fixes the issue, but it's a .bat file i think. What I need to do is authenticate as a domain administrator, and then make the following changes....all quiet to the regular domain users.
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Welcome to the board. To avoid having members repeatedly correct you, the product with which you are working is KiXtart not "kix start".
The approach you should take with your script is to write an "Admin" script that you would execute from a central console and it would connect to each remote computer and delte the keys or values in question. You would execute the script as a domain admin which would then have the appropriate access on each computer.
I'm sorry, i forgot to mention that I'm running active directory with group policies. So the script would be encrypted with kixcrypt and then shared in the netlogon folder of our domain. (encrypted to protect the domain admin username/password)
Registered: 2002-03-27
Posts: 4672
Loc: The Netherlands
Quote:
... So the script would be encrypted with kixcrypt and then shared in the netlogon folder of our domain. (encrypted to protect the domain admin username/password) ....
Encrypted script will be decrypted when executed and stored locally as a regular kix script. Users can then read the contents and therefore the username and password are both readable to the user. Never, NEVER, NEVER, NEVER put an admin username and password in a script unless you want to get screwed by some user that found the password and is actually using it to do and get what he/she wants. I'd probably loose my job or at least get my CEO on my back asking me why the h#ll I shared an admin password with a regular user if this happened.
If you know the computers that cause problems (and if you don't find out) then you should create an admin script that deletes the registry keys remotely and (re)starts the service remotely. Much more secure, the users will never know you did something to the computer they are working on and you'll find them all in reporting to WSUS and getting updates.
OK, NTDOC, thanks man. That was the quickest response ever... The "wuauclt /resetauthorization /detectnow" is actually a utility command. So it should be in the path of all users.... Would I be able to execute it if I make the following additions to your code? (See RUN part I've added) also, If I run this from my computer, logged in as my account (domain administrator) will this execute using my credentials on the remote pcs?
For Each $sComputer In $sComputers $sComputer=IIf(Not $sComputer,'','\\'+Join(Split($sComputer,'\'),'',3)+'\') If $sComputer $Nul = DelValue($sComputer+$Key,'AccountDomainSid') $Nul = DelValue($sComputer+$Key,'PingID') $Nul = DelValue($sComputer+$Key,'SusClientId') $Nul = fnWMIService('wuauserv','stop',$sComputer) $Nul = fnWMIService('wuauserv','start',$sComputer) RUN "wuauclt /resetauthorization /detectnow" EndIf
Mart,
Thanks for the information about kixcrypt. I didn't realize that it decrypts to a regular kix file and stores it locally on the computer.
Registered: 2002-03-27
Posts: 4672
Loc: The Netherlands
Scratching your head like a monkey...LOL never heard that one before.
This part
Quote:
RUN "wuauclt /resetauthorization /detectnow"
will be executed on the local computer because no computer name is given to execute the command on. You could loose that wuauclt stuff and just stop and start the service so all new settings will be loaded when the service starts and the computers should start showing up in WSUS. Doc showed an example that does the trick.
Ok thanks guys. I tested this script on my local machine... and I changed the script to just run for my computer.... $sComputers = 'wrender-lap'
I put the kix32.exe in a folder with the script which I called wsusfix.kix and ran them like this... kix32 wsusfix.kix
It exits, so I assumed the script ran. When I go to check in my registry on my computer (wrender-lap) the entries are still there... I tried refreshing using the F5 key.
I added a line with @error after the delvalue() lines. and it didn't do anything. I tried putting in two computers for the $sComputers and it got a new error. $sComputers = 'wrender-lap','fe-crosstec'
Ok, i've added the $Nul valiable to the Dim's. I don't get the undefined variable error anymore... I ran the script, and it properly removes the registry entries from 'wrender-lap' but does not seem to remove them on the remote computer 'fe-crosstec'.
well... todays decryption capabilities taken, it is.
anyways, error-line always does something. a) you didn't place it in the right place b) your script didn't execute at all c) you didn't execute from command prompt or are using wkix32. then you need to use get $ after the error line
but error-line always does give you something, always.
No, i don't think any of those things are what's causing the registry keys to not be deleted on the fe-crosstec computer. What about this?
On our network, i have kix32 available on the netlogon share, so it is available to all computers. but since i ran this script from a folder with kix32.exe on my local computer, would that effect where the remote computer looks for the kix stuff when it tries to execute the same script?
I guess what I'm trying to get ask is... Does the remote computer on the network need to have access to the kix files. If so, do the files have to be in the same directory or network location as what I have executed them from on my local computer.