Posts

Configuration Manager – Does not have permission to update the prereq or state flag of the package

When attempting an upgrade of System Center Configuration Manager v1511 to 1606 I ran into issues relating to the permissions of the Security Scope in Configuration Manager under the account I was doing the upgrade under.

I also had issues enabling Automatic Client upgrade which was grayed out– after some research I found that it was due to the original Full Administrator account which was used by a contractor to do the SCCM environment installation had been deleted from Active Directory and had explicit ownership of All Scopes and Collections which was fixed by taking ownership of the Scope and Collections below.

ConfigMgr Error Object:instance of SMS_ExtendedStatus{ Description = “User \”DOMAIN\\User\” does not have permission to update the prereq or state flag of the package. “;               ErrorCode = 1112017920;      File = “e:\\nts_sccm_release\\sms\\siteserver\\sdk_provider\\smsprov\\sspupdatepackages.cpp”;           Line = 435;              ObjectInfo = “2”;     Operation = “ExecMethod”;        ParameterInfo = “SMS_CM_UpdatePackages.PackageGuid=\”0D256560-ED2C-45B5-8D75-4D38AB3F758C\””;           ProviderName = “WinMgmt”;          StatusCode = 2147749889;};

ConfigMgr Error Object

In order to resolve this issue – I needed to make Changes to the Configuration Manager (SCCM) SQL database. I don’t take responsibility for any damage this may cause and of course highly recommend doing this in Test first, and of course making sure a SQL backup has been done before hand.

1. Open SQL Management Studio with an account that has sysadmin permissions on your SCCM database – and connect to it.

2. Expand Databases, and locate your SCCM database. Right click your database and select New Query

3. Type in or Copy the following Query and Execute it:

select *from RBAC_ADMINS
4. You should now get all the specified Administrators for SCCM role based Full Administrator group; this includes LogonName, DisplayName and their CreatedBy and Created Date

5. Now we need to set the correct permissions on the Security Scope – find the account you want to make Full Administrator (best practice would indicate – this should be an Active Directory group, which your account is then a member of to avoid future problems) and note down the AdminID of your account

6. Clear the Query box and type in:

Update v_securedScopePermissions Set categoryid=‘sms00all’ where adminid=<ADMINID>

7. Replace <ADMINID> with the number of your account, Admin ID without the <>.

8. When you are ready to make the change, click Execute

9. You have now successfully gained Full Administrator permissions over all Scopes and Permissions. Close the SCCM console and relaunch and you should now be able to do the upgrade or enable Automatic client upgrade.

BgInfo Configuration & User Deployment using Group Policy

Introduction

BgInfo is beneficial for Endpoint device support by displaying the Asset number, IP address and logged on username overlaid on top of the wallpaper, it is OS independent and can be used across other Windows Desktop and Windows Server environments.

BGInfo is a free Windows Sysinternals utility created by Microsoft engineer, Mark Russinovich.

This utility runs under the user’s context. This does not need admin rights. As such this we will create this as a User Based group policy which runs upon logon.

How do I create a BGInfo package?

Use the following guide to create the BG Info package…

  1. Run and extract it to a folder – for example c:\temp\bginfo

  1. Run BGInfo, you will be prompted with the default configuration

  1. You can delete the Fields from the Black window, as applicable in this example we are just going to use x3 fields:

Host Name:    <Host Name>

IP Address:    <IP Address>

User Name:    <User Name>

  1. To add more you can select Fields, and Add. If there is a field that you may need, that isn’t selectable from the defaults you can also query Environment Variables, Registry and WMI by clicking on the Custom button. We are sticking with the defaults so click Apply to review changes.
  2. We want to also replace the Background so it isn’t the default – Black color – so click on Background…

  1. Because this will be rolled out to multiple users, we either need to have a BMP or JPG that will be on every single computer in the same location or accessible to all authenticated users on the network. We will be going with option 2 – using the domains namespace, and net logon folder to store BGInfo and the wallpaper. Copy the Wallpaper you want to an easily accessible share that authenticated users have Read access too. I am using a Wallpaper folder, under the Net Logon folder.
  2. Select navigate to: \\DOMAIN\netlogon\Wallpaper\Desktop.jpg and select Stretch as the Wallpaper position and click Ok.

  1. For future wallpaper changes. This will need to be modified again to point towards the newest wallpaper. Click Apply
  2. Verify that the settings are correct and it looks ok. If so now we need to save the configuration so it can be reused – click on File and select Save As.
  3. Name it: config.bgi

  1. Restart your computer to lose the changes and you can now test the configuration file from the Command Line, open PowerShell or Command Prompt (as a normal user) and navigate to the place where the BGInfo executable and you have saved the configuration file too and type:

bginfo.exe config.bgi /accepteula /silent /timer 0

  1. Press Enter and that should force BGInfo to load with your changes without any user prompt.

How do I deploy BGInfo package?

Use the following guide to deploy the BG Info package. Because this is a user based application and needs to run under user context on login, we are going to use a logon script using a user based group policy – for specific users only.

  1. Open Active Directory Users and Computers and create an application group to assign users too that you want to have the BGInfo wallpaper – for example _APP_BGInfo and add your user account to that group.
  2. Open Group Policy Management tool using an account that has access to create Group Policies and right click on the OU with your user account or Computer – if you have Loopback enabled and select Create a GPO in this domain, and Link it here…

  1. Specify a name for the Group Policy, such as BgInfo-UserPolicy –and click Ok

  1. Right click and Policy and select Edit…
  2. Navigate to: User Configuration\Policies\Windows Settings\
  3. Click on: Scripts (Logon/LogOff)
  4. Double click Logon to open the Logon Properties
  5. I prefer to keep my scripts, source files replicated across Domain Controllers and located in the same location as my Group Policy – so click Show Files…

  1. Copy your BGInfo executable and configuration file into the folder. If you get errors, you may need to launch Explorer or map a drive using Domain Admin credentials which usually has write access to the SYSVOL.

  1. Now we need to create a batch script, that will be ran by the group policy to launch BGInfo. Right click a blank space in the folder and select New, Text Document

  1. Rename file to: Run_BGInfo.bat

  1. Right click bat file and Open with, Notepad
  2. Go back to Windows Explorer; we now need to get the Group Policy location/path. Right Click on the Address pane and select ‘Copy as Text’
  3. Enter in the following detail (the \\DOMAIN till the Logon path is the location of your Group Policy, copied from Step 13) and click Save:

@echo off

\\DOMAIN\SysVol\luke.geek.nz\Policies\{8BBCd98E-4907-4D45-B662-8034A55B0352}\User\Scripts\Logon\Bginfo.exe \\DOMAIN\SysVol\luke.geek.nz\Policies\{8BBCd98E-4907-4D45-B662-8034A55B0352}\User\Scripts\Logon\config.bgi /accepteula /silent /timer 0

Exit

  1. Double click the Run_BGInfo.bat to confirm it works, and if not modify the batch script to work – it needs to point towards the exact BGInfo and configuration file and to avoid extra spaces it may be best to run it on the same line with a space between BgInfo.exe and the path to the configuration file only.

  1. Once it has confirmed working, go back to the Group Policy created in Step 3 and before we add the script we need to set the Scope so the policy doesn’t affect users that are not supposed to be get the BGInfo wallpaper.
  2. Under the Scope tab, remove Authenticated Users from the Security Filtering and add the Active Directory group created earlier – ie _APP_BGInfo – also check the Delegation Tab and make sure Authenticated Users is added for Read Rights.

  1. Now right click the BGInfo group policy – select Edit and navigate back to: User Configuration\Policies\Windows Settings\
  2. Click on: Scripts (Logon/Logoff)
  3. Double click Logon to open the Logon Properties
  4. Click Add and Browse
  5. Select Run_BGInfo.bat and click Open and click Ok
  6. You have now successfully created the User base policy that will run the Run_BGInfo.bat script on user logon
  7. Restart and verify that your Desktop wallpaper has now been changed. Other users of the Active Directory group will need to restart or Log off and back in – to pick up the changes.

How to configure Active Directory delegation to allow users to move computers between OUs

  1. Open Active Directory Users & Computers with AD rights
  2. Right click on the organisation unit you want to give access to and click Delegate Control
  3. Add the group want to give this access to, for example “IT HelpDesk”
  4. Select “Create a custom task to delegate” and click Next
  5. Select “Only the following objects in this folder”
  6. Check “Computer Objects”
  7. Check “Create selected objects in this folder”
  8. Check “Delegate selected objects in this folder” and click Next
  9. Make sure Write is checked and click Next
  10. Click Finish

Repeat steps 2 to 10 again on other OUs you would like to delegate move rights to.

Connecting OSX 10.9 to Active Directory

Connecting OSX 10.9 to Active Directory domain is very easy. Follow the quick guide below:

  1. Click on the Apple Menu
  2. Click System Preferences
  3. Select Users & Groups
  4. Click Login Options
  5. Click Join
  6. Click Add and type in the name of the Active Directory domain
  7. Enter in an Active Directory user credentials with domain rights to add workstations to the domain
  8. Click Ok