Configuration Manager Desired Configuration Management Forum

build OS configuration pack automatically

Wed, 18 Nov 2009 08:40:50 Z

Hi,

How could I build or create the OS configuration pack automatically? Is it possible to make use of Group Policy INF file to create the configuration pack? It's tedious task if modify the original configuration items 1 by 1 to my own settings.

Cannot import configuration packs - Content schema validation failed

Wed, 25 Nov 2009 10:05:04 Z

Hi,

I am having trouble importing oconfiguration packs into the DCM feature in SCCM SP2.
The import configuration data wizard shows [Content schema validation failed]
I'm trying to import the Microsoft Windows 2003 Config pack from Microsoft.
I've tried from my PC and the actual central site server and receive the same error.
The smsprov.log shows the following

[294][Wed 11/25/2009 09:37:49]:ERROR CSDMSource::InsertObject returned 12
[294][Wed 11/25/2009 09:37:49]:
*
*
e:\nts_sms_fre\sms\siteserver\sdk_provider\smsprov\sspconfigurationitem.cpp(1929) : The digest is not valid
*
*
[294][Wed 11/25/2009 09:37:49]:
*
*
The digest is not valid
*
*

If anyone has any ideas, please let me know...I've tried to find the error in the forums with no luck..

Many Than

SDM and LAT files in the CCM\SDMAgent\TypeStore folder

Tue, 24 Nov 2009 17:00:53 Z

Can anyone explain the purpose of these files? We have the DCM agent enabled, but have not yet caonfigured any templates. These files do not appear on all of our systems, but they do on some of our more closely monitored systems, and I need to explain what they are for.

Thanks in advance.

Wireless Configuration

Wed, 18 Nov 2009 21:35:57 Z

Would there be any way for me to use DCM (or any other SCCM feature) to report on my field laptops what machines have their wireless cards configured, what the SSIDs are and whether its a secured or unsecured wireless network? We are getting reports of people in the field configuring their laptops - which transfer sensitive material - to connect to their unsecured home wireless routers and we'd like to know who is doing it so we can rectify the situation.

Thanks

Security Compliance Management Toolkit for Windows Server 2008

Mon, 23 Nov 2009 02:07:05 Z

I found out that the Security Compliance Management Toolkit for Windows Server 2008 scripts for DCM CIs are not getting the correct value/actual value. Any face this problem as well?

System Center Configuration Manager 2007 Configuration Packs

Thu, 24 Apr 2008 00:13:15 Z

If you have questions or feedback about the System Center Configuration Manager 2007 Configuration Packs (published best practices for desired configuration management) e-mail cfgpacks@microsoft.com.

Multiple entries in the Object Tab of Configuration Item

Thu, 05 Nov 2009 15:10:10 Z

I am recreating a number of internal compliance checks in SCCM that we currently carry out under SMS (setup using the Custom Update Publishing Tool (CUPT)).

In one of these checks I check for a specific file name in one of two locations. I can add this to the Object tab as two entries, 1 for each location, but the checks fails if it does not find it in both, which it won't. I only want this to show as non-compliant if the file is in neither location. This could be achieve in the CUPT with an OR statement.

Does anybody know if I can replicate this functionality in SCCM?

Does anyone have any experience with CP Studio, and does this allow more advanced CI's than can be configured directly in SCCM?

Thanks
Andrew

Compliance Status -- Not detected

Fri, 13 Nov 2009 11:41:36 Z

Hi,

I have no idea why all the CI item evaluation for compliance status is "Not Detected" in the report. Any Idea? Here's my DCMAgent.log. There is no error in the log.

DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}): State - Detecting DCMAgent 13/11/2009 7:02:18 PM 5668 (0x1624)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}): ProcessDiscovery - Baseline - ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/ClonedCI_f4ddcf0b-aa00-4b5a-b1f9-bfa0145b7ba6 DCMAgent 13/11/2009 7:02:18 PM 5668 (0x1624)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}): ProcessDiscovery - Baseline - ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/ClonedCI_f4ddcf0b-aa00-4b5a-b1f9-bfa0145b7ba6 - Detecting ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/ClonedCI_f4ddcf0b-aa00-4b5a-b1f9-bfa0145b7ba6:4 DCMAgent 13/11/2009 7:02:18 PM 5668 (0x1624)
DCMAgentJob({E16E242C-E707-4CB5-BD38-CB3B48986A50}): State - Reporting DCMAgent 13/11/2009 7:02:18 PM 5668 (0x1624)
DCMAgentJob({E16E242C-E707-4CB5-BD38-CB3B48986A50}): ReportAssignmentState DCMAgent 13/11/2009 7:02:18 PM 5668 (0x1624)
DCMAgentJob({E16E242C-E707-4CB5-BD38-CB3B48986A50}): State - Complete DCMAgent 13/11/2009 7:02:18 PM 5668 (0x1624)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}): CompleteCIDiscovery DCMAgent 13/11/2009 7:02:20 PM 1384 (0x0568)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}): CompleteCIDiscovery :: Baseline ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/ClonedCI_f4ddcf0b-aa00-4b5a-b1f9-bfa0145b7ba6 discovery succeeded DCMAgent 13/11/2009 7:02:20 PM 1384 (0x0568)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}):State - Reporting (scan) :: Baseline - ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/ClonedCI_f4ddcf0b-aa00-4b5a-b1f9-bfa0145b7ba6 - Compliant = False DCMAgent 13/11/2009 7:02:21 PM 1384 (0x0568)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}):State - Reporting (scan):: PartCIComplianceState - ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/BusinessPolicy_ba96ebcc-9fc7-4586-8231-ddb1e9eafc3e - Compliant = False Detected = True Applicable = True DCMAgent 13/11/2009 7:02:21 PM 1384 (0x0568)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}):State - Reporting (scan):: PartCIComplianceState - ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/ClonedCI_f78b6f53-d6eb-45a3-9617-95cf1d9418cf - Compliant = True Detected = False Applicable = True DCMAgent 13/11/2009 7:02:21 PM 1384 (0x0568)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}):State - Reporting (scan):: PartCIComplianceState - ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/ClonedCI_2c3e5cd7-5af7-4b6a-8895-7919f1d8eef2 - Compliant = True Detected = False Applicable = True DCMAgent 13/11/2009 7:02:21 PM 1384 (0x0568)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}):State - Reporting (scan):: PartCIComplianceState - ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/ClonedCI_ae849b37-ea4f-4d73-ba74-a1b8a27ff39c - Compliant = True Detected = False Applicable = True DCMAgent 13/11/2009 7:02:21 PM 1384 (0x0568)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}):State - Reporting (scan):: PartCIComplianceState - ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/ClonedCI_3fbe2ba7-d35a-4aa6-9f11-fc676038a17a - Compliant = True Detected = False Applicable = True DCMAgent 13/11/2009 7:02:21 PM 1384 (0x0568)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}):State - Reporting (scan):: PartCIComplianceState - ScopeId_EDEFCFFF-53CD-437F-B16C-84DA40504545/OperatingSystem_5a0dd2ae-f516-4ed7-aeb7-9c0f15af4520 - Compliant = True Detected = False Applicable = True DCMAgent 13/11/2009 7:02:21 PM 1384 (0x0568)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}): CompleteCIDiscovery :: 0 more Baseline CIs to be discovered. DCMAgent 13/11/2009 7:02:21 PM 1384 (0x0568)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}): CompleteCIDiscovery (all Baselines processed) - Released discovery semaphore DCMAgent 13/11/2009 7:02:21 PM 1384 (0x0568)
DCMAgentJob({A453B4D3-CB95-4859-94FF-F624D64AA0F9}): State - Detecting DCMAgent 13/11/2009 7:02:21 PM 5668 (0x1624)
DCMAgentJob({A453B4D3-CB95-4859-94FF-F624D64AA0F9}): ProcessDiscovery - Baseline - Microsoft.SolutionAccelerator.SecurityCompliance/Baseline_f4ba2e19-1278-49e1-b8ce-c4f839d0329c DCMAgent 13/11/2009 7:02:21 PM 5668 (0x1624)
DCMAgentJob({A453B4D3-CB95-4859-94FF-F624D64AA0F9}): ProcessDiscovery - Baseline - Microsoft.SolutionAccelerator.SecurityCompliance/Baseline_f4ba2e19-1278-49e1-b8ce-c4f839d0329c - Detecting Microsoft.SolutionAccelerator.SecurityCompliance/Baseline_f4ba2e19-1278-49e1-b8ce-c4f839d0329c:3 DCMAgent 13/11/2009 7:02:21 PM 5668 (0x1624)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}): State - Reporting DCMAgent 13/11/2009 7:02:21 PM 5668 (0x1624)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}): ReportAssignmentState DCMAgent 13/11/2009 7:02:21 PM 5668 (0x1624)
DCMAgentJob({45CAB7FA-6D5A-4048-97FD-499CD5549ECE}): State - Complete DCMAgent 13/11/2009 7:02:21 PM 5668 (0x1624)

Incompliancy due to standard firewall registry settings

Thu, 05 Nov 2009 16:28:42 Z

The setup we have now:
SCCM 2007 SP2 with WS03-EC-Member-Server DCM configuration pack, we then created a policy based on the WS03-EC-Member-Server.inf, pushed it to the server OU and we now have compliant servers except for one CI.

Somehow the CI below is in error:

Name:	WS03-EC-Member-Server-Standard Profile-Child
Type:	Operating System Configuration Item
Content Version:	3
Actual Compliance State:	Non-Compliant
Non-Compliance Severity:	Error
Description:	The standard profile CI contains the settings for Windows firewall policies that, allow the domain administrator to set firewall policies at the domain level.

The only way for me to get rid of this 'error' is to remove the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
even if I set this key to 1 (enabled) it still reports an incompliancy.

Could anyone explain the logic of this CI?
Many thanks!

"Account lockout threshold Script" CI detected the wrong value

Wed, 18 Nov 2009 08:37:25 Z

Hi,

I am using WS08-EC-Domain-Account Lockout Policy-Parent, configuring "Account lockout threshold Script" CI.

I have configured the validation to 5 instead of the default value 50. But I still can see from the parent CI, under the script still showing 50. And I realise it's actually assuming 50 is the current value/actual value. In this case, the CI detected/evaluated the wrong value. How could I change the value automatically from validation tab?

WScript.Echo CheckRange("root\rsop\computer", "RSOP_SecuritySettingNumeric", "Setting", "KeyName='LockoutBadCount' And precedence=1", "50")
Function CheckRange(wmiNamespace, wmiClass, wmiProperty, wmiWhere, ExpectedValue)
On Error Resume Next
Err.Clear

' if "50" = "No Key", CInt() will failed, set ExpectedValue = -1 in that case.
ExpectedValue = CInt(ExpectedValue)
If (Err.Number <> 0) Then
ExpectedValue = -1
Err.Clear
End If
'WScript.Echo "ExpectedValue: " & ExpectedValue

Dim Compliant, NonCompliant, CurrentValue

' Read Current value in this client
CurrentValue = GetCurrentValue(wmiNamespace, wmiClass, wmiProperty, wmiWhere)
'WScript.Echo "CurrentValue: " & CurrentValue
' Case: Current Value = No Key
If (CurrentValue = "") Then
'WScript.Echo "CurrentValue: No Key"
CheckRange = ""
Exit Function
End If

CurrentValue = CInt(CurrentValue)

' set Compliant and NonCompliant return value
Compliant = ExpectedValue
NonCompliant = CurrentValue

' Case: If ExpectedValue = 0, Means Unlimited, any value (CurrentValue) is Compliant
    If (ExpectedValue = 0) Then
CheckRange = Compliant
Exit Function
End If

' Case: If ExpectedValue <> 0, The CurrentValue should LessEqules Expected Value, that is Compliant
If (CurrentValue <= ExpectedValue) Then
CheckRange = Compliant
Exit Function
    End If

' Other Case: NonCompliant
CheckRange = NonCompliant

End Function

Function GetCurrentValue(wmiNamespace, wmiClass, wmiProperty, wmiWhere)
On Error Resume Next
    Err.Clear

    ' Get WMI data
    Dim objWMIService, strWQL, objSettings, objInstance
    Set objWMIService = GetObject("winmgmts:\\.\" + wmiNamespace)
    strWQL = "Select " + wmiProperty +" from " + wmiClass + " where " + wmiWhere
    Set objSettings = objWMIService.ExecQuery(strWQL)

    For Each objInstance in objSettings
GetCurrentValue = objInstance.Setting
Exit For
    Next

' Case: No Key
If (Err.Number <> 0) Then
Err.Clear
GetCurrentValue = ""
Exit Function
End If
End Function</ScriptBody>

lsass.exe high CPU usage with desired configuration mgmt??

Tue, 17 Nov 2009 09:47:18 Z

Hi,

I've started to look at using desired configuration management (SCCM SP2) but noticed soon as I create a baseline and apply it to a collection the lsass.exe process ramps up leaving CPU at 80%+.

I dont 'think' it did this before SP2 but cant be sure. I tested the theory applying a baseline to a single PC and the CPU usgae shot up to abot 50%.

Any help appreciated!

Thanks
Russell

RMW

XP clients not detecing updated baselines configurations for evaluation

Fri, 13 Nov 2009 18:06:34 Z

Hi everyone,

Recently I have been setting up new configuration items and and assigning them via a few baselines to my test machines. This has been working fine, my XP client has been picking up the updated baselines and I have been able to evaluate them. Since couple of days ago i have not been able to get the client to pick up newer versions of the baslines (still picking up version 6 and 14 when they are at 8 and 16).

Has anybody come across this problem and know of a fix. I have checked the DCM related log files on the client and nothing looks out of place.

Thanks
Andrew

Verify that a registry setting in HKLM is correct

Thu, 08 Oct 2009 13:25:25 Z

I'm still new to Desired Configuration Management.

Basically, here is my problem. We had a virus run around our company. We've eliminated the virus, but there are some remnants that are preventing Automatic Updates from working on some machines. The virus changed several registry keys, so we need to find those systems and change the keys back.

One if the damaged keys is:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\imagepath

The value is supposed to be "%SystemRoot%\system32\svchost.exe -k netsvcs"
but the virus changed it to "%fystemRoot%\system32\svchost.exe -k netsvcs"

I have a quick script to fix it, but I need to find the computers first. Does anyone know how to do this with DCM, or is there a better way?

Reporting on DCM - Custom Report

Mon, 09 Nov 2009 12:49:28 Z

Hi,

I am just beginning to setup our reporting requirements in SCCM. I have looked at some of the exisitng reports to see if I could make use of one of these as a base for this report.

What I am trying to acheive is a list of all computers in a specific Collection, showing the number of Configuration Items assigned, compliant and non-compliant for a specific Baseline.

Any help would be appreciated.
Thanks
Andrew

DCM Configuration Items

Tue, 27 Oct 2009 10:05:31 Z

Hi,

I am wondering why the Configuration Items of DCM Configuration Pack consists of 2 same rules but the configuration item names are different --> child & Parent. Please refer to the sample below. What is the purpose for this?

==> WS08-EC-Domain-Account Lockout Policy-Child
==> WS08-EC-Domain-Account Lockout Policy-Parent

DCM validation that IIS Logging is enabled across WebSites on a webserver

Wed, 04 Nov 2009 12:37:41 Z

In looking at the "Vulnerability Assessment: IIS Logging Enabled" configuration item from the Vulnerability Assessment pack, it appears that it only checks for logging compliance at the Web Sites node or level within the IIS Admin UI. It does not check the logging setting for the Default Web Site or any other webs defined. Does anyone have a script that checks the settings for all webs?

DCM Configuration Item for file or folder permissions

Tue, 06 Oct 2009 17:25:05 Z

Hello

I am creating a Configuration Item to Check permissions of a Folder on clients. In the Add "group or username" it only gives option for Domain\user.
Is there a way we could add Local administrator or other local accounts of clients.
Checked for similar questions but couldn't find any..

Any pointers are appreciated. Thankyou !

WMI Configuration Setting

Wed, 04 Nov 2009 18:44:46 Z

Hello........I'm having some issues with a WMI check. Here is how I have it setup:

Namespace: Root\cimv2
Class: NetworkAdapterConfiguration
Property: DefaultIPGateway
Where Clause: ServiceName - 'VMXNET'

For Validation: Equals 192.168.21.3
and I have "report non-compliance event when this instance count fails" checked.

I created two just to test it with - one checking for the correct gateway and one without the correct gateway and they both show up as failed with "instance count validation" failures in the reports. Does this basically mean that it couldn't find the WMI entry at all? Normally when DCM finds something, but it has the wrong entry (like a reg check), it will report back to me what the value was - not just say "instance count validation".

Am I missing something?

Here is a WMI entry that I have setup that IS working fine:

Namespace:   Root\cimv2
Class:    win32_service
Property:   State
Where clause:   name - 'CtxSecGwy'
Validation: Equals Running
and "report non compliance...." is checked.

DCM CI for Registry Key

Mon, 02 Nov 2009 23:29:22 Z

Ok, I know this is probably something really easy and I'm just missing something so here it is.

I'm just looking for the presence of the HKLM\SYSTEM\CurrentControlSet\Control\Print\Connections key. I created a CI and a new Registry Object.

64-bit assiociation unchecked
Report a non-compliance event checked
Instance count Operator: Greater Than
Values: 0
Severity: Information

On my test machine I know the registry key exists and I'm still showing compliant.

What am I doing wrong? I know it's probably something simple. Thanks in advance.

Registry Permissions for LocalSystem in DCM

Wed, 04 Nov 2009 11:35:02 Z

Could anyone provide the correct method to validate the permissions of the LocalSystem account to registry keys using the DCM registry object provided in the GUI? The Domain\User works for domain accounts and the .\Administrators works for the local Administrators but .\LocalSystem, computername\LocalSystem, BUILTIN\LocalSystem do not seem to work for validating LocalSystem access.

DCM: Detect presence of software that are not allowed

Thu, 27 Aug 2009 20:17:23 Z

Hi everyone,

I'm really noob with the DCM's section of SCCM but I've read a lot on forums and tried many things but I can't really find what I'm looking for.

What I need is very simple. I want to create a list of Allowed softwares and I want to be able to check on a regular basis (monthly for example) which computers have softwares installed that are NOT in this list and what are those softwares.

I understood that I need to create a configuration baseline but the only thing I can see in the CI wizard is how to check if a specific software is installed. The same thing on every forums that I've visited... people always ask about detecting if ONE software is installed or not but I'm looking for the oposite in fact.

It seems to me that nor the Create Application Configuration Item neigther the Create General Configuration Item wizards would do the job.

Does SCCM can do it ?
Does DCM is the right tool into SCCM to do what I want or there is a better way ?
How can I compare the already installed software list from the inventory to my allowed list ?

Thanks so much for your help.

Alain

DCM - Access check failed against user 'domainaccount'

Mon, 02 Nov 2009 04:33:29 Z

Hi, After I evaluated, I click on View Report, I can see all configuration items also "not detected". It's Windows Server 2008. In DCMAgent.log, it got this error >> Access check failed against user 'domainaccount'. CLR has been enabled on the Microsoft SQL Server. What else I need to set?

Checking Folder Permissions with DCM - Local Groups/Accounts

Wed, 28 Oct 2009 14:44:04 Z

Hello..I'm trying to use DCM to check permissions for folders across multiple servers. It is fairly simple for a domain group with the object tab, but if I need to check local groups, I can't use the %computername% variable. It gives me an error. Obviously, I can't use the hostname of the box, because it will change depending on which server the dcm config item runs on.

Ideas? I've looked at hte xcalcs.vbs script, but I'm not quite sure how to incorporate that into checking for validation with DCM.

Thanks in advance!

DCMAgent.log - Access check failed aginst user 'id'

Thu, 04 Sep 2008 15:27:03 Z

On Server 08, from the Control Panel applet, when I ask for a refresh, I get the following in the DCMAgent.log:

Access check failed against user 'domainaccount'

domain account is the user id with Admin rights to the server, and full rights to every component of the console. I don't get that message for all Baseline/CIs. I imported the System Center ConfigMgr Baselines & those are evaluating fine on this 08 box. But when I create my own General CI, it throws that error. I recreated the steps on a different lab environment, and it worked fine; so I don't think it's my process; it has to be something I missed or misconfigured in this other lab.

Any ideas on what that message means, and how to remediate?

Using DCM to track GPO Compliance

Thu, 29 Oct 2009 19:18:23 Z

I saw the other thread related to this, but the only solution I saw was in relation to using CP Studio - which we don't have. Can someone tell me how to track a specific setting via WQL wmi query? For instance, if I wanted to see if "Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection\Do not allow COM port redirection" was enabled?

Thanks - I've looked and looked and can't find anything.

Client agent was successfully installed manually from the actual client itself but shows up in the Configuration Manager as no client agent was installed

Mon, 05 Oct 2009 19:29:36 Z

The Client is a HP 7800 SSF with VPro enabled, running XP SP2 residing in the same domain as the site server, I manually ran the msi file from the XP client to install the SCCm client, the installation wizard stated the installation was successful but when looking at the XP collection I see the system but the client the columns for the site name and client installed shows nothing and no respectively. What am I doing wrong?

BPA conversion to DCM

Wed, 07 Oct 2009 16:32:20 Z

It looks like at one point in time there was a tool (BPAtoDCM) to convert XML used by a best practice analyzer to a format the DCM could accept. I can't find any info on this tool - it is still available?

Check if Registry Value Exists?

Mon, 28 Sep 2009 19:41:42 Z

I just want to simply validate if a registry value exists. For example, everyone has the key HKLM\Software\Symantec\ABC\XYZ, but they should also have a string value in XYZ called "XXX". If that value does not exist (not blank, but NOT EXIST) then they are non-compliant. I have tried to created this CI but it does not work.

Will this be an object or a setting?

If setting, how should it be configured?

Thanks!

xtiyu32n

DCM Powershell Code Signing

Tue, 06 Oct 2009 13:35:02 Z

Hi,

I'm using powershell script in my CI's.

I want to use my signed scripts in my CI's but it just doesn't work !!

When I run the script outside DCM, everything fine.

Does anyone knows if code signing is supported in DCM ?

Allways get the Error Compliance state when I change the execution policy from unrestricted to allsigned.

Thanks

DCM Compliance Report problem

Tue, 29 Sep 2009 12:27:23 Z

Hi !

As I get more baseline configured, I want to view report of compliance.

I try to run the report : Summary compliance by configuration baseline

I get this error message:

An error has occurred during report processing. (rsProcessingAborted)
- Query execution failed for data set 'DataSet0'. (rsErrorExecutingCommand)
  - For more information about this error navigate to the report server on the local server machine, or enable remote errors

Other report are working fine, like the Symmary compliance for a configuration item by computer.

Did any one got this message ?

Thanks

Max caracter for username in folder permission CIs check

Tue, 22 Sep 2009 22:49:43 Z

Hi !

I tried to create a General CI that check the permissions on a folder.

When I try to enter my domain\goup name, DCM wont let me enter a group name that has more than 20 caracteres !?!?

Error message: "The Windows Account name you entered is not valid. Please enter a user name of the form: Domain\User"

I don't get any limitation for the length of the domain name !

Is this a bug or a limitation of DCM ?

Thanks !

Frequently updated applications and advice on how NOT to reset my baseline

Wed, 16 Sep 2009 23:17:38 Z

Hello,

I release new baselines and images every quarter worldwide. The image includes items like shockwave, flash, quicktime, etc. The release period is one month for ~2500 computers. During the one month period, if any updates for these products are released or zero days are released then they are slipstreamed into my deployment.

My problem is updating the CI's to reflect these new versions, resets the baseline, and then I have to wait 1-3 days for evaluation to complete and all systems to report. This totally messes up my reporting, and I essentially lose two days of reporting any time a zero day is released. No too mention my heart sinks when my compliancy drops back down to zero again.

I was thinking of creating the CI so it would look for the version number with a greater than or equal to. So that when the new version comes out, it will show up as compliant. Problem being most of my CI's reference the registry and versions in the registry are string based, so greater than or equal to is not an option. I will probably switch most of them to file versions to support this.

How is everyone else dealing with their baselines and products that update very often? Do you put them into a seperate baseline or just reset the whole thing. I don't want to reset the baseline for the whole month if possible.

Thanks guys,
The Moose

HKCU Registry Value?

Fri, 04 Sep 2009 19:43:56 Z

Is it not possible to configure a CI based on HKEY_CURRENT_USER?

I saw this post and that's what I assume this means?
http://social.technet.microsoft.com/forums/en-US/configmgrdcm/thread/a0410ceb-6ca5-47f4-97b8-9d3da78ea749/

I just want a simple CI that shows if the screen saver is enabled. I have created one based on the HKCU\Control Panel\Desktop key and string value SCRNSAVE.EXE. My screen saver is enabled, but it comes back non-compliant, showing that 3 other users are not compliant (mine is not listed).

BTW -- when I created a standard CI based on HKLM, it returns correctly.

Any ideas? Thanks.

xtiyu32n

Printing DCM CI's and Baseline's

Wed, 16 Sep 2009 23:08:13 Z

Hello,

I was wondering what everyone uses to print and review their configuration items and baselines? I came across the article "print your task sequence automagically" and love this for task sequences. Unfortunately I couldn't get it to work on my CI's or Baseline's and am not too familiar with XML stuff.

Does anyone have any recommendations on how to print the CI's and baseline's into an easily reviewable format? I have alot of settings being checked wthin each CI and want to review those with my team.

Thank you,
The Moose

MAXPWAGE

Wed, 16 Sep 2009 06:51:41 Z

Hi All,

Do you know how to check items such as MAXPWAGE using Desired Configuration Manager? There is no registry setting for this configuration item.

CI Agent Failed to Startup

Mon, 07 Sep 2009 09:50:07 Z

i imported ConfigManager2007 configuration pack into SCCM 2007 and applied to server collections containing AD and SCCM machine. after a while, running HomePage Summarization, the graph shows 100% Unknown state. furthermore, in c:\program files\SMS_CCM\ciagent.log opened using SMSTrace, it shows error that CI Agent Failed to Startup (0x800004015).
I have verified that SCCM has .Net FrameWork 2.0 installed. Logged on account is Ent. Admin.
what exactly is causing this issue.

Custom Configuration Packs

Mon, 14 Sep 2009 05:37:27 Z

hey Everyone,

is there a tool to automate the creation of configuration packs? Can I baseline a machine (e.g. Vista / Win7) and have its settings output as a configuration pack? or, Can I start with a bunch of registry files or an rsop and turn them into a configuration pack?

In other words, how can I create my configuration baseline without having to set each setting one at a time?

Powershell Scripts Cause DCM Discovery Failure/Errors on Some Servers

Mon, 15 Jun 2009 06:21:22 Z

Is anyone having problems with using Powershell scripts in DCM validation rules? I am targeting about 1500 servers with about 200 validation rules. 37 servers have discovery failures only on the validation rules that use Powershell scripts. The scripts work fine on the remaining 1400+ servers. The problem servers are Windows 2003/Windows 2008. Something the servers have in common is that nearly all of them are Citrix or Virutual servers. Attached is a snippet of discovery.log for one problem server:

6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function expand('%systemroot%\system32\windowspowershell\v1.0'): Object count final: 1.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function alternateWowUapFileNames('C:\WINDOWS\system32\windowspowershell\v1.0','','Native','FileUserAccountLimited'): Object count final: 0.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function alternateWowFileName('C:\WINDOWS\system32\windowspowershell\v1.0','FileWow6432File'): Object count final: 1.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function alternateWowUapFileNames('C:\WINDOWS\system32\windowspowershell\v1.0','','FileWow6432File','FileUserAccountLimited'): Object count final: 0.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function directoryExists('C:\WINDOWS\system32\windowspowershell\v1.0'): Object count final: 1.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function files('C:\WINDOWS\system32\windowspowershell\v1.0','powershell.exe',''): Object count final: 1.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function time('C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe','c'): Object count final: 1.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function time('C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe','w'): Object count final: 1.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function fileAttributes('C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe'): Object count final: 1.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function fileSize('C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe'): Object count final: 1.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function none(): The interoperation method 'OpenProcessToken' returned Win32 error '0x000003F0(1008)' message ''.
6/15/2009 8:22:36 AM    DiscoveryProvider:Discovery Function fileVersionInfo('C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe'): Object count final: 1.

6/15/2009 8:22:37 AM    DiscoveryProvider:Discovery Function execute('#Script gets the execution policy setting.
                                                                        $ErrorActionPreference = 'SilentlyContinue'
    $ExPol = (Get-ExecutionPolicy)


    If (($ExPol -like "RemoteSigned") -or ($ExPol -like "Un','ps1',''): The provider encountered an error condition during function execution.

I realize the interopeation errors are considered to be bogus. The final line of the snippet seems to be the issue. The other 1400+ servers do process the script without issue. Anyone have some input on this? Seems like a bug......

SCCM with SMS 2003 AD Ext.

Tue, 01 Sep 2009 14:16:59 Z

Hi Guys,

i have installed a SCCM environment and it works pretty well, so far. But now i have the problem, that clients do work correctly with the sccm. i configured the Client Push Installation as followed: MSI PROPERTIES are INSTALL="ALL" SMSSITECODE="xxx" SMSCACHESIZE="20480" SMSSLP="FQDN Name from Server" CCMHTTPPORT="80" CCMHTTPSPORT="443" CCMHTTPSSTATE="0" CCMFIRSTCERT="0"

Clients receives the advertisements normaly, but then they stay in status "Downloading" for ever... :-(
Do you have some ideas?

The SCCM is installed without SCCM 2007 AD Extend, but we have a SMS 2003 Schema Extension.
And a second Question: There is a second SMS 2003 Infrastruture in this Domain. Can this create any Problems?

Very best Regards,
Marco

DCM- Something strange.

Wed, 12 Aug 2009 14:56:46 Z

Hi All. We have configured a Baseline for checking if "user logged into the machine" (domain account) has the Standard Wall paper and Screen saver which is defined in the Group policy. When checked the DCM report, it show as non-complaint even though the valid Wall paper and screen save is available for the user. When checked further, its actually comparing the value of WP and SV set in the Baseline with all user profiles available in the system registry including local user accounts. How to mitigate this. We want it should check the baseline value against logged on user only (domain account) and not with local user profiles.

Thank YOu.