Jump to content

SteveIT

Members
  • Content Count

    26
  • Joined

  • Last visited

  • Days Won

    2

SteveIT last won the day on May 8

SteveIT had the most liked content!

Community Reputation

6 Neutral

My Information

  • Agent Count
    1500+

Converted

  • ICQ
    7020886

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. SteveIT

    Office purge and replace with 365 script

    I like the script for sure - as long as you grab the latest ODT setup.exe and plug it in I think you're in business. I had a special case I added to this where it could loop through the OfficePurge section more than once (for cases where multiple versions of Office are present that need to be removed). Thanks!
  2. Is there a version of this that could work for Remote Monitors?
  3. SteveIT

    RMM Security Best Practices

    Other things I am thinking about but do not have answers for yet IIS sites - are any of these considered legacy and not save to remain active? Automate plugins - is there a sanity check we can do or any plugins that we should consider not safe to maintain? I am not aware of any that expose anything publicly in the same way this Kaseya/Manage integration did, but feel it's worth discussing.
  4. SteveIT

    RMM Security Best Practices

    For us, it's causing us to do a review of... Any 3rd party consulting or services we used that had access into our systems API keys used by our current integrations Any users that don't have MFA enabled Any connections to our NOC systems from foreign/poor reputation IPs I'd definitely be interested in what others out there are doing in light of this. Would love to have a checklist of sorts coming out of this where I could come back to our team with, showing we are doing our due dilligence.
  5. SteveIT

    Auvik deployment

    Updated original post with new exports of the install and removal scripts that have the new AuvikService.exe URL which will work correctly moving forward. This also includes the new regional cluster name in the setup URL (us1 in my case). Please modify line 62 of the installer script if you are on a different cluster. Also added a simple Role Detection sql for Auvik Collector. While it doesn't necessarily mean that a client is fully set up for Auvik, it's at least an indicator of where the service is installed and running which could be useful. Also with the new network probe, the mitigation to change the TFTP port to 0 does not work. You can try updating that line in the script to use a different port for TFTP, but I'm not positive it will work. I think @mnpuckett had done some work on this to deal with the new network probe a bit more gracefully, but I seem to have lost it in my Slack history (duh). If you have those modifications post them here again and I will get them into the original script here so it's nice and finished.
  6. CW Automate Database Migration Guide I recently performed a successful database migration for our org to a new server with higher specs. I spent some time with CW consulting before the migration, reviewing the new server base install and working through some of the initial issues there (like making sure all our connectors really ARE the right version, and dropping the default anonymous MySQL user). They also gave me some pointers for the actual database migration process which are not in the CW documentation. This guide is not a replacement for proper consulting. If you don't know what the stuff below means, you should probably stop and have a talk with CW about getting assistance . In our case we were migrating the database to a single server, but I would expect some of these same steps could be utilized for someone going from a single server to a split server as well. ASSUMPTIONS: This guide does NOT cover the Automate 12 base install on the target server. It assumes the target server has all firewall ports opened, Automate base install completed, trial license and services are all working. Complete these steps ahead of time, and the steps below can be used as a checklist for performing the actual cutover. Server Installation Reference: https://docs.connectwise.com/ConnectWise_Automate/ConnectWise_Automate_Documentation/020/010 CUTOVER CHECKLIST • Firewall ○ Check and confirm prerequisite access rules are in place (should mirror current Automate server) • DNS ○ 1 day prior, drop TTL for A record to low value (1800) ○ Start time, update A record to new destination, keep TTL low • Source server ○ Set maintenance mode at all agents level ○ Stop/disable Automate services ○ Export database structure and data ○ Reference: https://docs.connectwise.com/ConnectWise_Automate/ConnectWise_Automate_Documentation/020/070 ○ Ignore history tables, eventlogs, windowsupdateetlfiles tables from data export ○ Copy export to new server • Target server ○ Install all current Windows Updates ○ Disable automatic restart outside of active hours https://docs.microsoft.com/en-us/windows/deployment/update/waas-restart#registry-keys-used-to-manage-restart ○ Stop Automate services ○ Export lt_servers and lt_servers_sec ○ Drop labtech ○ Create labtech ○ Import old server exported structure, then data ○ Discuss: Observed some duplicate primary key errors on import - had to uncheck box "abort on error" ○ Copy LTSHARE data from old server ○ Truncate lt_servers and lt_servers_sec ○ Import from new server data export ○ Set Labtech Redirector Service to delayed startup ○ Start services ○ Discuss: Start/stop errors on Solution Center service. Required. Initial errors logging in to Control Center / high CPU usage on mysqld. Waiting for initial read/hashing of Transfer folder items to complete. ○ Change license key ○ Run latest monthly patch again ○ Restart ○ Update Automate server to computerid 1 ○ Check plugins, agent status ○ Check for agent check-ins, command execution ○ Take agents out of maintenance mode ○ Set up azure blob backup job scheduled task
  7. SteveIT

    Privileged accounts changes alerts

    The closest I have to this is a monitor that looks for a recently created DA was created. It looks like there is a WhenChanged column in the ad_plugin_entries table we could use in here. This one was based off a RAWSQL monitor Gavsto shared in the slack channel. LT - Domain Admin recently created SELECT CONCAT(dom.DomainName, '\\', usr.AccountName, ' - ', 'Recently Created') AS TestValue, CONCAT_WS(' - ',clients.name,usr.AccountName) AS IdentityField, usr.FirstName, usr.LastName, dom.DomainName, ent.ParentDN, usr.LastLogonTimeStamp, ent.WhenCreated, usr.PwdLastSet, usr.LockoutTime, acd.NoAlerts, acd.UpTimeStart, acd.UpTimeEnd, computers.computerid FROM plugin_ad_users AS usr, plugin_ad_entries AS ent, plugin_ad_domains AS dom, computers, clients, AgentComputerData AS acd WHERE dom.InfrastructureServerID = Computers.computerid AND computers.clientid = clients.clientid AND usr.ObjectGuid = ent.ObjectGuid AND ent.DomainGUID = dom.ObjectGuid AND DomainAdministrator = 1 AND acd.Computerid = computers.computerid AND NOT usr.AccountControls & 2 AND ent.WhenCreated > (NOW() - INTERVAL 7 DAY) AND computers.ComputerID NOT IN (Select ComputerID from AgentIgnore Where AgentID=238123) ORDER BY Clients.Name ASC, AccountName ASC Matches for any domain administrator account created in the last 7 days. LT - Domain Admin recently created.sql
  8. SteveIT

    Auvik deployment

    Here are my auvik deployment script that I've built for a pretty pain free collector install. It assumes a few things. You have the Auvik plugin installed and configured with a user that has collector install rights. You have MSP client and clients set up in Auvik matching the Auvik/Automate best practices https://support.auvik.com/hc/en-us/articles/212478146-Integrating-ConnectWise-Automate-with-Auvik. (In short, Automate Client = Auvik MSP Client, Automate Location = Auvik Client) You have all applicable Clients and Locations mapped to their respective MSP Clients and Client sites in the Auvik plugin. When run normally, the script will determine what Auvik domain to install itself to based on the current computer's location and what Auvik domain it's mapped to in the plugin. It checks for if it's being run on an Automate probe server and tries to disable TFTP in the probe config if it is (Thanks Darren). It also checks for existing services running on TFTP or FTP ports (TCP 69/21), and exits with an error if a conflict is found. For a client with multiple locations that you wish to install as a shared collector, use the SetToOneForSharedCollector parameter to deploy Windows Service as Shared collector at MSP Client level. The script will find the MSP client domain by matching up the client ID with what is in the plugin table. All that's left is to find the shared collector in the portal and then associate it with the clients you wish to enable it for. Imports to Scripts\Auvik Install Auvik Service.xml Remove Auvik Service.xml AuvikRole.sql
  9. SteveIT

    Script Backup

    Excellent script!
  10. SteveIT

    Automate 12 - Should I Upgrade?

    How long have you been using CWA12? Installed today 1/12 (didn't even realize it, but I made the jump to 12 on the 12th!) What problems if any were encountered DURING the upgrade. How was it resolved? (Or is it still an issue?) No issues applying the upgrade. Completed in <10 min. What problems if any were encountered POST upgrade. How was is resolved? (Or is it still an issue?) One user reported losing the + sign beside clients after working for some time. Recommending he complete CC clear and reset steps (will share below) Another user on Win10 had Control Center repeatedly crashing when launching, even after reinstalling with a fresh download. Complete CC clear and reset fixed the issue (thanks Wai Wong!) What is your feedback on the changes? What do you like best/worst? Feedback is positive so far, most of the things just work though I do miss some of the drag and drop functionality. Ignite Manager still has some dialog boxes that don't work (Edit Alert Template... could have been broken before moving to 12. Still getting used to things like Monitors and Searches opening up in a separate window. Navigating from Scripts to Clients/Groups feels very slow compared to just scrolling up in the nav tree. What feedback did you get from your other users/techs? "I didn't have any problems with the install" Troubleshooting If you run into issues with Control Center crashing, use the following steps to fully clear out and reinstall CC. Download the new Control Center from [YOUR_AUTOMATE_SERVER_URL] Uninstall Control Center Delete the Labtech Client folder in c:\programdata and c:\programfiles (x86) Open Regedit, delete HKEY_CURRENT_USER\Software\LabTech\Client Reinstall the Control Center
  11. SteveIT

    Change Hyper-V Guest VM MAC Address Prefix from default

    I am trying to implement this as a monitor / autofix so we can pick up on any Hyper-V servers that are set up and picked up as a role. My problem is after running, the resulting MacAddressMinimum -like '00155D*' is still true. So the detection for checking if it's the HYPERVDEFAULT is not really working here. Randomly generated MacAddressMinimum: 00-15-5D-0B-1F-20 I'm thinking calculating the default MacAddressMinimum wouldn't be that hard to figure out and incorporate into the first line default config check command. From: https://www.ivobeerens.nl/2014/01/13/check-for-duplicate-mac-address-pools-in-your-hyper-v-environment/ The MAC address pool is generated as follows: The first three octets are Microsoft’s IEEE organizationally Unique Identifier, 00:15:5D (which is common on all Hyper-V hosts) The next two octets are derived from the last two octets of the server’s IP address
  12. Remediation is going to be updating BIOS/AMT firmware or disabling vPro from what I gathered. Is that accurate?
  13. SteveIT

    No Uninstaller app removal

    It is pretty effective BUT you have to be careful what you feed into it. I tried to cover a lot of cases here but it is not a replacement for a proper uninstaller. Thanks!
  14. SteveIT

    No Uninstaller app removal

    In response to the CCleaner recent supply chain issue, I wanted to build a software removal script that could be used to remove an app if we assume the uninstaller has been compromised and is malicious. It seems that was not the case in this recent scenario, where the uninstaller successfully removed the app, but in a different scenario, the uninstaller could be broken to further infect/trigger an infection which I wanted to account for. This simple powershell is hardcoded for CCleaner, but the version in the script uses a parameter that can be set on execution. If no AppName parameter is set it will default to CCleaner. It does a few things: - Searches for running processes located within the AppName folder in Program Files and stops them - Searches for running processes matching the AppName and stops them - Removes SOFTWARE registry keys matching the Application Publisher name and removes them - Removes UNINSTALLER registry entries matching the AppName - Removes CLASSES registry entries matching the AppName - Removes any installed services running processes matching the AppName path - Removes Program Files, ProgramData, and Start menu items matching the AppName or Publisher name Please use CAUTION when running this, as it could be DESTRUCTIVE if the wrong AppName is specified! I broke a Windows install testing using this to remove a centrestack windows client which is not a good idea since it uses a file system driver :eek: $RegUninstallPaths = @( 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall') $AppName = 'CCleaner' $RegSWPaths = @( 'HKLM:\SOFTWARE', 'HKLM:\SOFTWARE\Wow6432Node') $ClassesRootPath = "HKCR:\Installer\Products" $ServicePath = 'HKLM:\SYSTEM\CurrentControlSet\Services' #stop processes Get-WmiObject Win32_Process | Where {$_.ExecutablePath -like '*Program Files*\'+$AppName+'\*'} | Select @{n='Name';e={$_.Name.Split('.')[0]}} | Stop-Process -Force get-process -Name *$AppName* | Stop-Process -Force -ErrorAction SilentlyContinue #clean up REG software keys $UninstallSearchFilter = { ($_.GetValue('DisplayName') -like $AppName) } $AppPublisher = (Get-ChildItem HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | Where $UninstallSearchFilter).GetValue('Publisher') if (Get-ChildItem HKLM:\SOFTWARE\$AppPublisher) {Remove-Item HKLM:\SOFTWARE\$AppPublisher -Force -Recurse } if (Get-ChildItem HKLM:\SOFTWARE\Wow6432Node\$AppPublisher) {Remove-Item HKLM:\SOFTWARE\Wow6432Node\$AppPublisher -Force -Recurse } #clean up REG uninstaller entry foreach ($Path in $RegUninstallPaths) { if (Test-Path $Path) { Get-ChildItem $Path | Where $UninstallSearchFilter | Foreach {Remove-Item $_.PsPath -Force -Recurse } } } #clean up REG classes New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null Get-ChildItem $ClassesRootPath | Where { ($_.GetValue('ProductName') -like $AppName) } | Foreach {Remove-Item $_.PsPath -Force -Recurse } #clean up services Get-ChildItem $ServicePath | Where { ($_.GetValue('ImagePath') -like '*'+$AppName+'*') } | Foreach { sc.exe stop $_.GetValue('DisplayName') sc.exe //localhost delete $_.GetValue('DisplayName') Remove-Item $_.PsPath -Force -Recurse } #clean up program files if (test-path $env:Programfiles\$AppName\) { Remove-Item $env:Programfiles\$AppName\ -Force -Recurse } if (test-path "C:\Program Files (x86)\$appname\") { Remove-Item "C:\Program Files (x86)\$appname\" -Force -Recurse } if (test-path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\$appname\") { Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\$appname\" -Force -Recurse } if (test-path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\$AppPublisher\") { Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\$AppPublisher\" -Force -Recurse } if (test-path "C:\ProgramData\$appname\") { Remove-Item "C:\ProgramData\$appname\" -Force -Recurse } if (($AppPublisher -ne 'Microsoft') -and (test-path "C:\ProgramData\$AppPublisher\")) { Remove-Item "C:\ProgramData\$AppPublisher\" -Force -Recurse }
  15. SteveIT

    Service Plan Overview

    This is awesome and perfect for the Ignite overview I have been looking for. This helped me spot a couple of clients that were not onboarded fully which is something I have wanted some better visibility of. Thanks!
×