defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName

This will need to be run with root permissions, so either use su or sudo to run this in terminal on the machine (i.e. sudo defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName) or you can send it to a few computers through apple remote Desktop using the unix button.  Make sure you choose to have it run as root on the remote computer.

Once you run this on a machine, you can now click on the clock in the upper right hand corner and it will cycle through the computer name, OS Version, and IP Address next to the clock with each click.

I like to give credit that i found this tip on afp548.com[here], it’s not my own creation.  But wanted to repost it so that others would hopefully find it helpful.

In doing research before I moved DHCP i came across an article or a post stating that backing up a server 2003 DHCP server and then restoring it on a 2008 DHCP will appear to work, but will eventually give you problems and\or corrupt.

Not wanting to have to recreate all of our scopes and any reservations that we had set, i did find a way to move the data using the netsh command that doesn’t appear to suffer from the same problems as a backup\restore does.  (I don’t know why, just that my research showed this was the only method to migrate data between the two without risking problems down the road)

On the Source 2003 DHCP Server, open a command prompt and enter the following commands:

netsh
dhcp server
export <Filename.dat> <ScopeAddress>

This will create a file named FileName.dat in whatever directory you are in when you type the nets command.  I named my files the same as the ScopeAddress so as to avoid confusion.

Next you need to get that file onto the 2008 DHCP Server.  You will also need to launch the command prompt as administrator.  The easiest way I’ve found to do that is to find command prompt in the start menu (either the recently used programs or under all programs->accessories and right click and choose run as Administrator.

Now enter the following after you have changed to the directory containing the .dat file you exported previously (NOTE: since the command prompt is running as Administrator, i found that you do not have access to your network shares anymore, copy the .dat file somewhere local on the server):

netsh
dhcp server
import <filename.dat>

you should receive a message that the import was successful.

Refresh your DHCP console on the server 2008 and verify that the scope was created along with all options as well as any existing DHCP Leases.

Now you will need to deactivate the old scope on the 2003 DHCP Server and reconfigure any routers with the new IP Helper-Address so that DHCP requests are sent to the correct DHCP Server.

We took a power outage to our building and the generator that was supposed to come on never did. the UPS was speced to handle the period of time between a power outage and the generator coming on, so after a few minutes all of the servers powered down. Not necessarily what i wanted to come into on Monday morning, but it did highlight a couple of needs that i had expressed over the past couple of years.

When i powered everything back up, I only had 2 servers that came up with any large problems. Both seemed to be issues with the Smart Array controller as the server would get to that point in the POST and would sit at SmartArray E200 initializing for a few minutes and then fail to boot. I contacted support and they had me do a few things:

1. Boot from the Easy Setup CD and go to Maintenance and run Array diagnostics – Array diagnostics couldn’t find that any array controllers were installed.

2. update the flash rom for the server – There is a download for the server that then creates a bootable USB stick that you can use to update a server that won’t boot into the OS.

3. Reseat the Cache module on the controller card – there’s a chip on the Smart Array controller card that on first glance looks like a chubby piece of memory.

4. upgrade Storage Firmware using Maintenance CD – there is another download on the HP site to take their maintenance CD and create a bootable USB Drive.  then you can update\replace some of the drivers on the CD.  once you boot off the USB stick, it can automatically detect any updates and apply them. it also failed to see that there was a Storage controller installed.

5. boot with Cache removed from SA E200 – they then had me remove the Cache module and boot the server with the slot on the controller empty.

6. Move Smart Array card to another slot, Clear CMOS, upgrade Firmware with Smart Update Manager – i considered this their hail mary before they replaced the controller. they had me move the controller card to another slot on the server, clear the CMOS (this is done by holding down a button on the motherboard labeled CMOS, when you power back up the system date and time will need to be reset) and then try to update using the USB key from step 4.

so after all this we were still at the same place as we started.  so they sent out a new Smart Array E200 controller card.

I replace the controller card and was still having the exact same problem.

I got back on the phone with support after quickly running through the above 6 things.  I was trying to save myself having to run back and forth to the server when support asked me to try them again. since i had already exhausted all the prompts on their screen (i guess) they considered this an odd single case issue (funny that i had two servers doing the same thing), and had to get special instructions which amounted to replace the Cache module.

the new cache module came the next day and once installed the server booted normally.

oddly, for the second server the next support person that i got insisted it was the motherboard since booting with the cache module removed did not make any difference and setup for a tech to be dispatched with a motherboard.

I spoke with the tech and he confirmed my suspicion that the motherboard was most likely not faulty and that it was more likely the cache module.  He explained that it used to be that removing the cache module would allow the server to boot, but he has recently found that if the server shipped with the cache module installed, the servers seem to expect it to be there and if it’s not (or it’s faulty) the controller can’t initialize.

So he came out the next day with a new cache module, installed it and the server worked fine.

the first thing i needed to do was get the time out of a text file with Fixed Length. I then had to convert that string to a datetime object so that i could use the various time functions available in Python.

	#get characters located between position 8 and 13.
	In = employee[8:13].strip()

	#define a timeformat for use in various places throughout the program
	TmFmt='%H:%M'
	#take the previously obtained string and convert to datetime object.
	TimeIn = datetime.datetime(*time.strptime(In,TmFmt)[:6])

Let’s look at that last line a little closer

	TimeIn = datetime.datetime(*time.strptime(In,TmFmt)[:6])

first we take the string In and apply a function called strptime along with the format we have defined in the variable TmFmt. strptime can take a date and time in a string and breaks it into tupples, the outer function then converts this to a datetime object and puts it into TimeIn. my example only contains time, but it could also contain the date (%m=month, %d=day, %y=year).

We can now use Python’s time and datetime functions on TimeIn.

say you had a given time and you wanted to add 8 hours to it, you use a function call timedelta.
Assuming that TimeIn is the datetime object that we created in the previous step, we could do the following.

	TimeOut = TimeIn + timedelta(hours=8)

that then adds 8 hours to TimeIn and stores it in TimeOut.

if you had two times, you might want to find the difference between them.

	Shift = TimeOut - TimeIn

yep, that simple. except that Shift is a TimeDelta object. you can print it by just typing print Shift, but if you want to do any comparison on it, you have to compare it to another timedelta object. the below example shows testing if the shift time is greater than 5 hours.

	If Shift > time.timedelta(hours=5):
		print "Full Shift"

here’s a small example making use of some of the things mentioned in one script.

assuming a file name 20110729-time.txt containing:

22134508:0016:0020110729
22142508:0016:1520110729
22131608:0016:0020110729
22111809:0017:0020110729

here’s a script to read through that file and tell you what hours each person worked and how many hours they worked, minus their unpaid meal time. and in the case of >8 hours in a day, adds the additional time again for Overtime.

import datetime,time
from datetime import timedelta

#format for reading time from strings and priting them
TmFmt='%H:%M'

#open import file and create file for export
InputFile = open('20110729-time.txt', 'r')

#read through each line of the import
File = InputFile.readlines()

#For Each Employee in teh above file, process their record
for employee in File:
	ID = employee[0:6]
	TimeIn = datetime.datetime(*time.strptime(employee[6:11],TmFmt)[:6])
	TimeOut = datetime.datetime(*time.strptime(employee[11:16],TmFmt)[:6])
	DateIn = employee[16:24]

	#Get total number of hours for shift
	TotHours = TimeOut-TimeIn

	#Subtract unpaid meal time
	TotHours = TotHours + datetime.timedelta(minutes=-30)

	#See if shift longer than 8 hours, and if so, add the additional time again
	if TotHours > datetime.timedelta(hours=8):
		OTHours = TotHours - datetime.timedelta(hours=8)
		TotHours = TotHours + OTHours

	#Print out a block of information detailing their hours
	print "Employee: " + ID
	print "Date: " + DateIn
	print "Time In: "+TimeIn.strftime(TmFmt)+"\t Time Out: " + TimeOut.strftime(TmFmt)
	print "Total Hours: " + str(TotHours)
	print "\n"

InputFile.close()

but what if you decide that you want to enable it on a few hundred computers, this could take a long time. so I found these commands that can be sent through Apple Remote Desktop which will enable it.

To enable or disable remote login (or SSH):

$ sudo systemsetup -setremotelogin (on|off)

for Windows, i created a .bat file and made it a logon script for the OU containing the users that would access the affected system. The script contained two lines:

#Clear Java Cache
javaws -Xclearcache -Xnosplash

#Clear IE Cache
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

For OS X, we had the following three lines that we sent to the computers through Apple Remote Desktop once the users were logged in:

#Clear Java Cache
javaws -Xclearcache -Xnosplash

#Clear Safari Cache
killall Safari
open -a Safari

I couldn’t find anything for Firefox, so if anyone has commands that clear the cache from Firefox, please share.

it turns out that it appears it is a result of Internet Explorer’s enhanced security in Server 2003. Knowledge base article 815141 (http://support.microsoft.com/kb/815141)covers the enhanced security, but what we’re particularly interested in is about a third of the way down where it talks about security zones:

Access to scripts, executable files, and other files on Universal Naming Convention (UNC) shared folders is restricted unless the shared folder is added to the Local intranet zone explicitly.

so I went into Internet Explorer, Tools -> Internet Settings, Security tab. clicked on Local Network, and then sites. I added \\mydomain.int to the list and now i can edit the logon scripts through GPMC.

The more immediate concern is how do we change the local password on 1000+ computers without having to visit each one? I’ve written a vbscript that takes a comma-delimited file with the first column being the IP and the second being the Computer name and outputs two lists, one that were changed & one that were not. I got the input file from our DHCP Server by exporting the Scope for the building where the password was compromised. I then got rid of the other columns that I didn’t care about. I also broke the file down into smaller chunks just to make it more manageable and so that I could send information to the building tech on the computers that failed in smaller batches.

The script I wrote takes this file as input (c:\script\workstations.txt) and spits back out two files (c:\script\Done.txt & c:\script\NotDone.txt) Done contains the computers that the script was able to contact and changed the local admin password on and NotDone has the ones we were unable to contact and therefore were not changed.

I don’t want to claim this all as my own, so I did borrow the IsAlive function from another post I found. If I can find it again, I will link to that post.

Option Explicit

Dim fso, user, ts, temp, src, WshShell, PINGFlag, ComputerArr
Dim dstGood, dstBad, tsGood, tsBad
Set fSO = CreateObject("Scripting.FileSystemObject")
Set WshShell = CreateObject("WScript.Shell")
src = "c:\script\workstations.txt"
dstGood = "c:\script\Done.txt"
dstBad = "c:\script\NotDone.txt"

If Not fso.FileExists(src) Then
WScript.Echo "File: " & src & " cannot be found."
WScript.Quit
End If

Set ts = fso.OpenTextFile(src,1)
Set tsGood = fso.OpenTextFile(dstGood,2)
Set tsBad = fso.OpenTextFile(dstBad,2)
Do Until ts.AtEndOfStream
	temp = ts.ReadLine
	ComputerArr = split(temp, ",")
	if isalive(ComputerArr(0)) then
		wscript.echo "Ping Success: " & ComputerArr(1)
		Set user = GetObject("WinNT://" & ComputerArr(0) & "/Administrator,user")
		user.setpassword "YourNewPassword"
		user.setinfo
		tsGood.writeline ComputerArr(1)
	else
		wscript.echo "Ping Failed: " & ComputerArr(1)
		tsBad.writeline ComputerArr(1)
	End IF
Loop

Function IsAlive(strHost)
    Const OpenAsASCII = 0
     Const FailIfNotExist = 0
     Const ForReading =  1
     Dim objShell, objFSO, sTempFile, fFile
    Set objShell = CreateObject("WScript.Shell")
     Set objFSO = CreateObject("Scripting.FileSystemObject")
    sTempFile = objFSO.GetSpecialFolder(2).ShortPath & "\" & objFSO.GetTempName
    objShell.Run "%comspec% /c ping.exe -n 2 -w 500 " & strHost & ">" & sTempFile, 0 , True
    Set fFile = objFSO.OpenTextFile(sTempFile, ForReading, FailIfNotExist, OpenAsASCII)
    Select Case InStr(fFile.ReadAll, "TTL=")
         Case 0
            IsAlive = False
         Case Else
            IsAlive = True
    End Select
    fFile.Close
     objFSO.DeleteFile(sTempFile)
    Set objFSO = Nothing
    Set objShell = Nothing
End Function

By doing Radius Authentication I can create rules on the Radius Server as to who can access the switches and what level of access they receive. We already use Microsoft Active Directory, so Microsoft’s IAS was the easy choice for a Radius Server. I’m working on finding a way to script the creation of the client Objects, but for now I created a small number of clients for a small number of switches for testing.

In the IAS console, choose Radius Client. Either Action -> New Radius Client, or right click in the right half of the screen and choose New Radius Client.

Friendly name: DataCenter-1
Enter the IP or the DNS Name of the switch.
Shared Secret: the “password” that the switch and the radius server use to talk. Should be different from other passwords used on your network as it is passed unencrypted.

Next you need to create a Remote Access Policy. Right click in the right half of the screen and choose new Remote Access Policy.

Name: DataCenterSwitchAccess
Access Method: VPN
Choose Group and then click Add. Type the name of the Group in Active Directory that you want to grant access to the switches to. I created a group that I’m going to use just for granting access to the switches with.
Click Next a couple of times and then Finish.

Now we have to make one change and that is the authentication method. Right click on the remote access policy you just created and choose Properties. Click Edit Profile and then choose the Authentication Tab. Unselect anything that is selected on the screen and then check unencrypted Authentication (PAP, SPAP). Click ok twice.

Lastly, we need to set up a Connection Request Policy. I setup a connection request Policy for each User that I wanted to access the switch. One of the reasons that I did this was to be able to include the service type to give certain people manager rights on the switches and everyone else operator rights.

Right Click on the right side of the Connection Policy Screen and Choose new Connection Policy.

I chose to do a Custom Policy

Profile Name: SysAdmin
I added User-Name and entered my username.
On the next screen Choose Edit Profile and Choose the Advanced Tab
Click add and find Service-Type. The default is Administrative, leave this if you want the user to have manager access to the switch. Set it to NAS Prompt if you want the user to be an operator. This user will get be asked to authenticate if they try to enter manager mode, and will get Access Denied If they enter their credentials since they don’t have manager access.

You will need to create a Connection Policy for each user that you want to access the switches.

You will notice that I have not entered an IP address for either of the two Policies that we created. The reason I’ve done this is that I don’t want to have to create a policy for each of the switches, or each of the switch\user combos in the connection policies.

On the switch you will need to enter four commands:

Radius-server host <ipaddress> key <PassPhrase>
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication login privilege-mode

the first sets up what Radius Server you want the switch to use and what the Passphrase it should use is. The next two allow you to login to the switch over SSH using radius credentials as allowed by the radius server. The last command enables the processing of the Service Type field that we added to the connection Policy to give access levels.

You can also use radius to Console, web, and telnet authentication, just replace the ssh with the one you want above.

You now can use select AD Credentials to login to the switch. This is part of another project I’m working on which is getting Rancid up and running. I’m hoping to have a post about that up sometime next week.

I wrote this script to handle these two problems. At the beginning of the code you can modify strsrc and srdst to be the source(strsrc) and destination(strdst) that you need for your application. You can also set the age variable to be the number of days you want to retain backups in each directory for.

As always, I don’t claim that my code is pretty, just that it works. feel free to modify or comment on it.

import shutil, os, stat, time
from datetime import date, timedelta

strsrc = "c:\\program files\\Application\\backup"
strdst = "S:\\bkup"
age = 14

strDeleteFromDate = date.today() - timedelta(days=age)

for files in os.walk(strsrc):
	for item in files[2]:
		strFileLoc = strsrc + "\\" + item
		strdateused = os.stat(strFileLoc).st_mtime
		year, day, month = time.localtime(strdateused)[:3]
		strLastUsed = date(year, day,month)
		if strLastUsed < strDeleteFromDate:
			print "/* ", item, ",", strLastUsed, ", Delete */"
			os.remove(strFileLoc)
		else:
			print "/* ", item, ",", strLastUsed, ", Keep */"
			shutil.copy2(strFileLoc, strdst)

for contents in os.walk(strdst):
	for things in contents[2]:
		strFileLoc = strsrc + "\\" + things
		strdateused = os.stat(strFileLoc).st_mtime
		year, day, month = time.localtime(strdateused)[:3]
		strLastUsed = date(year, day,month)
		if strLastUsed < strDeleteFromDate:
			print "/* ", item, ",", strLastUsed, ", Delete bkup */"
			os.remove(strFileLoc)
		else:
			print "/* ", item, ",", strLastUsed, ", Keep bkup */"