ben.neise.co.uk » Uncategorized http://ben.neise.co.uk vSphere & Powershell Scripting Thu, 24 Jun 2010 21:03:04 +0000 en hourly 1 http://wordpress.org/?v=3.0 Automatically setting the machine owner as a custom attribute http://ben.neise.co.uk/index.php/2010/06/automatically-setting-the-machine-owner-as-a-custom-attribute/ http://ben.neise.co.uk/index.php/2010/06/automatically-setting-the-machine-owner-as-a-custom-attribute/#comments Wed, 09 Jun 2010 08:49:58 +0000 Ben http://ben.neise.co.uk/?p=447 As we are constantly creating, moving, renaming and deleting machines, it’s difficult enough to keep track of machines I have deployed myself; never mind keeping track of what the other team members are doing.

In order to try make it easier to find the owner of a machine, we implemented a custom attribute “Infrastructure Consultant”, which the deployer should fill complete. Inevitably, despite the best of intentions, this is occasionally missed, and we end up with machine of unknown provenace.

The following sorts this by finding machines where the custom attribute is empty, then populating it with a best guess, based on the machine’s event log.

It looks for three types of events:-

  • “Deploying…” covers machines which have been deployed from another template
  • “Creating…” covers machines which have been imported via VMware Converter
  • “Clone of…” covers machines cloned from existing machines

This seems to cover everything on our environment. If you find something else, then it should be simple enough to add it.

# Name of the custom attribute which we are wanting to check/update
$strCAInfrastructureConsultant = "Infrastructure Consultant"

# Loop through all the machines
ForEach ($objVM in (Get-VM | Sort-Object Name)){
	Write-Host "Checking " -NoNewline
	Write-Host $objVM -ForegroundColor Blue
	# If the specified custom attribute is empty
	If ($objVM.CustomFields.Item($strCAInfrastructureConsultant) -eq ""){
		# Find the username of the person who created the machine. As this is returned in Domain\Username format, we split it, and take the second portion
		$strInfrastructureConsultant = ((@(($objVM | Get-ViEvent | Where-Object {$_.FullFormattedMessage -match "Deploying*" -or $_.FullFormattedMessage -match "Creating*" -or $_.FullFormattedMessage -match "Clone of*"} | Select-Object Username)))[0].Username).Split("\")[1]
		Write-Host "Adding " -NoNewline -ForegroundColor DarkGray
		Write-Host $strInfrastructureConsultant -NoNewline -ForegroundColor White
		Write-Host " as Infrastructure Consultant" -ForegroundColor DarkGray
		# Write that username to the custom attribute
		($objVM | Get-View).setCustomValue($strCAInfrastructureConsultant,$strInfrastructureConsultant)
	}
}

This doesn’t take a long time to run, and will hopefully catch all those occasions where we forget to complete the custom attributes on the machine. It could of course be easily modified to check/update any other custom attribute.

]]> http://ben.neise.co.uk/index.php/2010/06/automatically-setting-the-machine-owner-as-a-custom-attribute/feed/ 0 Preventing computer password expiry http://ben.neise.co.uk/index.php/2010/01/357/ http://ben.neise.co.uk/index.php/2010/01/357/#comments Thu, 28 Jan 2010 14:53:45 +0000 Ben http://ben.neise.co.uk/?p=357 If you work with non-persistent virtual machines on Windows domains, you will be familiar with your machines being disconnected from the domain every 30 days.When you try to log in, you get a message saying:-

“The trust relationship between this workstation and the primary domain failed.”

The problem is detailed in this KB Article. What happens is that every 30 days (by default) the client initiates a computer password change on the domain controller. This computer password is used to authenticate the computer as the computer object in AD, and is distinct from the user’s password. When the non-persistent machine resets, the passwords go out of synchronization and domain authentication fails.

This can be fixed, as per Microsoft’s KB article, by disabling the client-initiated computer password changes; this can be done using Local or Group Policy, by , or by directly editing the registry.

Using local, or group policy

Set the key shown below to Disabled

Using REGEDIT

Set the below value to 1

Using Windows shell 

 :: Set registry key to disable computer password expiry
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v DisablePasswordChange /t REG_DWORD /d 1 /f

If you’ve got access to the Domain Controller, you can also set a GPO so that Domain Controller: Refuse Machine Password Changes is Enabled. This is in Windows Settings à Securiy Settings à Local Policies à Security Options (the same location as the Domain Member: Disable Machine Account Password Changes).

Also, if you need to rejoin machines that have already fallen off the domain, you can miss the reboot after removing it from the domain, so:

  1. Shut the machine down
  2. Make the drives Persistent
  3. Start the machine and log in
  4. Remove the machine from the domain
  5. Add the machine to the domain
  6. Reboot
  7. Shut-down and make Non-Peristent

Skipping the middle reboot saves a couple of minutes (which adds up if you have a lot to do). The above processes can also be scripted through the use of with Invoke-VMCommand and either NETDOM (for XP/Vista) or for Windows 7.

]]> http://ben.neise.co.uk/index.php/2010/01/357/feed/ 0