Programs for connecting local networks. Remote software installation. Really smart scanner

Conditions for performing installation using RPC

When installing using RPC, the Administration Server first copies files to a remote computer using regular copying in the Microsoft network. Destination folder is administrative shared folder Admin$ on a remote computer. Only administrators are allowed to access this folder over the network, which means that copying must be performed on behalf of a user who has the appropriate rights on the remote computer. Administrator rights are also required to later run the installer using RPC.

By default, the remote installation task is executed on behalf of the Administration Server service. If the Server is installed in a domain, then during installation it is possible to select an account to start the Server service. Typically, this is an account with domain administrator rights, in which case all installation tasks will have the required rights on computers that are members of the domain.

But it can be another account that does not have the required rights, or even a Local System Account that does not have any rights on remote computers. In this case, the account for remote installation can be specified in the task settings.

But even using admin attributes does not guarantee access to the administrative share Admin$, insofar as network access may be limited by the settings of the remote computer. Therefore, before creating and executing a remote installation task, it is recommended that you verify that you have access by accessing the folder at \\ <имя удаленного компьютера> \Admin$. If you don't have access, you should check if the remote computer has one of the following restrictions set.

There may be no access to the folder due to the fact that the computer is turned off, so you need to additionally make sure that there is a network connection with the computer. The easiest way to do this is to use the command

ping

Easy file sharing

In non-domain Windows XP Professional, Simple File Sharing is set by default. At the same time, to access files over the network, you do not need to specify a username and password at all, but access to administrative shared folders (Admin$, c$ etc.) is prohibited.

To disable simple file sharing and return to the normal access control scheme, you need to open the window Explorer Windows, in it select the menu Service and paragraph Folder properties. In the window that opens, go to the tab View, find item Use simple file sharing (recommended) and turn it off.

When adding a computer under Windows control XP to a domain, simple file sharing is disabled automatically.

Security model for local users

Again, this is only about Windows XP, not part of the domain. By default, for security reasons, all local users connecting over the network are given guest privileges. Because to access the administrative shared folder Admin$ administrator rights are required, it will not be possible to obtain the required access in this mode.

You can change the behavior of the operating system in the computer's security policy. For this you need to press Start, Run and type in the launch line secpol.msc. In the window that opens, you need to expand the node Local Policies and set the cursor on the container Security Options. The network access rights of local users are governed by the Network access: Sharing and security model for local accounts setting. Meaning " Guest - local users authenticate as guests' is preventing normal network access and should be changed to ' Normal - local users authenticate as themselves».

As with simple file sharing, when you join a computer to a domain, the security model automatically changes to normal.

Blank passwords

Another default limitation adopted in Windows XP. In order for a user to access a computer over a network, they must have a non-blank password, that is, one that consists of at least one character. Otherwise, access will be denied.

This restriction is also defined in the local security policy. The corresponding parameter is named Accounts: Restrict use of blank passwords to console login only and can be in two states Switched on and Disabled.

To bypass the restriction, you can either change the administrator password to a non-empty one, or turn off the specified setting in the security policy. The first method is recommended, as it is more secure.

Windows Firewall

Starting with Windows XP SP2, built-in operating system the firewall is enabled by default and blocks almost all incoming connections. This also blocks network access to administrative shared folders on the computer. There are two ways to solve this problem:

1. Completely disable the firewall
2. Allow network access to files

In both cases, you need to open Control Panel and run the setup program in it Windows firewall. You can turn off the firewall on the first tab Are common, and to allow network access to files you need to go to the bookmark Exceptions and check there Sharing files and printers. If the Windows XP computer is part of a domain, the exclusion will be enabled automatically.

Similar problems can be caused by any other firewall, not only built into the operating system. And we are talking not only about Windows XP SP2 or Windows Vista. The solution remains the same - allow file and printer sharing, but the specific settings will depend on the firewall you are using.

Installing the Agent using RPC

The installation package required for the installation of Network Agent is created automatically during the installation of the Administration Server, and therefore it is not necessary to create it.

In the properties of the package, you can set the parameters for connecting to the Server and reboot parameters. Since the installation of the Agent usually does not require a restart, and the Server connection parameters correspond to the Server settings specified during its installation, you can use the default package settings.

During the initial deployment of Agents, a global task is usually created and the installation is started manually, after which the administrator closely monitors the results of the installation

Back

Forward

). It solves the following tasks:

1. Remote administration.
2. Remote command execution.
3. Remote installation of applications.

In fact, it is a convenient graphical shell for the utility. psexec. The program window is divided into groups of fields and buttons corresponding to these three tasks:

1. Host- IP address/name of the remote computer. The program constantly tries to connect to it and signals the result:

• Red- the computer was not found (maybe a firewall is enabled on it).
• yellow- the computer was found, but the credentials are incorrect / there are not enough rights / "simple file sharing" is enabled on the remote PC.
• green- the computer is found, the credentials are correct, there are rights.

You can also specify a list of computers here. To do this, double-click in an empty field - the default list name will appear - @list. You can edit the list by double-clicking on it with the mouse. There can be several lists, but they must all start with the character " @ ".

user- name account to connect to a remote computer.

Pass- account password for connecting to a remote computer.
By double-clicking here, you can get the LAPS password - it will be copied to the clipboard.

During the connection/installation, it enumerates the credentials specified in the program settings, as well as those specified in the fieldsuser and Pass.

The program settings are read when it is launched from a filerinstall.ini, which can be in directories"%PROGRAMFILES%\Rinstall\" and "%USERPROFILE%\Rinstall\"(the latter takes precedence).

1. Remote administration

1. - get information about the system.
2. - get a list of installed software.
3. - start the computer management console.
4. - start a remote shell.
5. - connect through the Configuration Manager client.
6. - connect via remote desktop.
7. - connect via remote assistant.
8. - connect via TightVNC.
9. - connect through Radmin.
10. - open a remote resource.
11. - see what is taking up space on the disks of the remote computer.

2. Remote command execution

1. - a command (executable file: *.exe, *.bat, *.cmd, *.vbs, *.hta, etc.) executed on a remote computer. By default, the device manager startup command is specified..
2. - Arguments (parameters/switches) of the command, if needed.
3. [x] Copy- copy the command to a remote computer (in this case, you need to specify its full path on the local computer).
4. [x] Hide- execute the command invisibly.
5. [x] Wait- wait for the command to complete.
6. - start Far.
7. - run shell.
8. - start the startup manager.
9. - run the uninstall manager.
10. - update group policies(with the /FORCE key).
11. - terminate all psexec processes.
12. - update the IP address.
13. - to restart a computer.

Commands are executed on a remote computer with rightsSYSTEM.

It is convenient to run as commands (do not forget to check the box Copy). Here, however, there are incomprehensible problems with the launch of SFX archives on remote computers with a 64-bit OS...

3. Remote installation of applications

Applications ( Rel Path) are placed on any network resource (Net Path). Access to it is carried out according to the credentials ( Net User, Net Pass). During the installation of the application on a remote computer, it connects network drive (NetDisk).

Requirements for installed applications:

1. The application must be in a separate folder and installed automatically.
2. The application folder must be written in the Latin alphabet.
3. Inside the application folder there should be a file install.bat, which installs the application. It is also desirable that this file supports the key -u(uninstall application).

All these requirements are met by mine.

If WSUS is installed in the Windows domain, the admin is happy and calm - they say, that’s it, updates are installed automatically, traffic has decreased, you don’t need to run around computers, etc. In principle, everything else is the same, but not everyone uses Microsoft Outlook in their work or Internet Explorer(although 8 is pretty good). There are many people who are used to working with The Bat! mailer, Opera or Mozilla browser. If the question arises about updates - either this is a headache for the admin in the form of running to each computer to update everyone, say, Opera, or users must sit under admins (albeit local, not domain ones).

Naturally, neither the first nor the second methods are an option. So, it is necessary to be able automatically install programs on workstations, and it is desirable to do this before the user has logged in - after all, if he logged in, he will no longer want to restart the machine, etc. It is necessary to put the user in front of the fact - the program, his favorite Opera, has already been updated and the admin does not sausage that for some reason he likes version 10.10 less than the previous one. An update just came out and needs to be applied. No options.

The most common answer to the question is AS? - Of course, through Active Directory!- any specialist or just a system administrator will tell you. And how through AD?- you ask. And they will tell you ?! You do not know how through AD? Yes, it's just there, through policy!- but they will most likely not tell you anything else, because for most advisers this question is as unclear as it is for you. And you will have no choice but to google until you lose your pulse, because finding a huge tome on the topic "how to deploy office 2007" in a corporation's network is not a problem, but simply and in a nutshell - you rarely find anything. Not without pride I can say that this article is just one of the few short and "no bells and whistles" that came across to me.

Installing programs from MSI

Suppose we want to automatically install (and install updates as updates come out) the Firefox browser. The msi file for Firefox can be downloaded (in a new window).

I will skip setting up the .adm template, because far from always it is necessary, and even more often you will find this template of FIG. As a result - default settings (or, if we put on top old version- the settings will be saved). We don't need the .adm template.

Distributing access rights

I assume that all computer accounts (except for domain controllers) are in the OU "OU Office Computers".

Note 1:

Why is it better not to use the original location of computers (Computers - Domain Computers in the Active Directory Users and Computers snap-in)? It is more convenient for me to manage policies for groups of computers in the future. In addition, when I attended Microsoft courses, I saw that on domain controllers in test systems and in "combat" systems configured by Microsoft specialists, practically only separately created OUs are used, and not basic ones. I decided to repeat the experience of specialists for myself. For now, it just makes me feel better. Naturally, IMHO.

Note 2:

Not all users need Firefox (as not everyone needs The Bat, Opera, etc.). Therefore, we will create a separate group of computers in "OU Office Computers" on which Firefox will be installed. For clarity, let's call the group GFirefoxComputers. I note that this will be a group, not a nested OU!

We share any folder on the server (in the figure it is SoftwareDistibution, not Mozilla Firefox, as it may seem) and give group GFirefoxComputers read access, admin - full access(not to the admin's computer, but to the user - after all, you should be able to upload files to the ball over the network;)).

In general, to check how everything works in general, you can do without the GFirefoxComputers group. Just in order not to complicate your life right away, and not to blame group policies if something goes wrong;)

Politics rules the world!

On the domain controller, run the group policy editor GPMC.MSC:

And we create a group policy associated only with our OU "OU Office Computers" called "Firefox 3.6.3 rus":

Editing our "Firefox 3.6.3 rus" policy:

Preparing a Firefox Distribution for Web Deployment

In the "User Configuration" -> "Software settings" -> "Software Installation" section, click right mouse and create new object to install - our future Firefox installer.

Choose MSI file, carefully placed by someone's hands in a shared folder. Important: you need to choose a network path to the file, and not a local one, because the user will get access to your installation not locally on the server, but over the network.

Select "Assigned" (Assigned):

This completes the work with the "Software Installation" branch.

We close everything open windows on the server (if it doesn't interfere with other tasks, of course), Start -> Run -> gpupdate / force

Installation on workstations

Further, it is enough just to restart the workstations so that Firefox is automatically installed BEFORE the login / password window appears. In other words, the user will not be able to set something, forget it, etc. Therefore, this method is so good. You decide remotely what will be installed/updated on the workstations.

Windows XP sometimes does not "accept" new policies from the first reboot, so you can approach the user, run the "gpupdate / force" command (not necessarily under the administrator) and restart his computer.

Be sure to test the installation on your / test computer BEFORE the users come in the next morning, turn on the computers ... what if it's a bug? Therefore, at least the first time, first try it for yourself.

Additionally

Now for any new computer, introduced as part of the OU Office Computers will be installed latest version Firefox browser. You don't even have to do anything. Simple and very helpful. In the same way, you can install almost any software, including Adobe Reader, Adobe Flash Player (which normally require administrative rights to install), The Bat... you never know what software you have on your local network, which is one of the duties of a system administrator to keep up to date.

Nuance: if you have already installed any package, in our case Firefox 3.6.3 rus, and after a while you will need to update it (because sooner or later a new version browser), first remove the policy by installing Firefox 3.6.3, then create a new one. Then "gpudate / force" and go!

). It solves the following tasks:

1. Remote administration.
2. Remote command execution.
3. Remote installation of applications.

In fact, it is a convenient graphical shell for the utility. psexec. The program window is divided into groups of fields and buttons corresponding to these three tasks:

1. Host- IP address/name of the remote computer. The program constantly tries to connect to it and signals the result:
   • Red- the computer was not found (maybe a firewall is enabled on it);
   • yellow- the computer was found, but the credentials are not correct / there are not enough rights / "simple file sharing" is enabled on the remote PC;
   • green- the computer is found, the credentials are correct, there are rights.
   You can also specify a list of computers here. To do this, double-click in an empty field - the default list name will appear - . You can edit the list by double-clicking on it with the mouse. There can be several lists, but they must all start with the character " @ ".
2. user- the name of the account to connect to the remote computer.
3. Pass- account password for connecting to a remote computer.
   By double-clicking here, you can get the LAPS password - it will be copied to the clipboard.

During the connection/installation, it enumerates the credentials specified in the program settings, as well as those specified in the fields user and Pass.

The program settings are read when it is launched from a file rinstall.ini, which can be in directories "%PROGRAMFILES%\Rinstall\" and "%USERPROFILE%\Rinstall\"(the latter takes precedence).

1. Remote administration

1. - get information about the system.
2. - get a list of installed software.
3. - start the computer management console.
4. - start a remote shell.
5. - connect through the Configuration Manager client.
6. - connect via remote desktop.
7. - connect via remote assistant.
8. - connect via TightVNC.
9. - connect through Radmin.
10. - open a remote resource.
11. - see what is taking up space on the disks of the remote computer.

2. Remote command execution

1. - a command (executable file: *.exe, *.bat, *.cmd, *.vbs, *.hta, etc.) executed on a remote computer. The default command is to start Device Manager.
2. - Arguments (parameters/switches) of the command, if needed.
3. [x] Copy- copy the command to a remote computer (in this case, you need to specify its full path on the local computer).
4. [x] Hide- execute the command invisibly.
5. [x] Wait- wait for the command to complete.
6. - start Far.
7. - run shell.
8. - start the startup manager.
9. - run the uninstall manager.
10. - update group policies (with the /FORCE key).
11. - terminate all psexec processes.
12. - update the IP address.
13. - to restart a computer.

Commands are executed on a remote computer with rights SYSTEM.

It is convenient to launch portable applications as commands (do not forget to check the box Copy). Here, however, there are incomprehensible problems with the launch of SFX archives on remote computers with a 64-bit OS ...

3. Remote installation of applications

Applications ( Rel Path) are hosted on any network resource ( Net Path). Access to it is carried out according to the credentials ( Net User, Net Pass). During the installation of the application on a remote computer, a network drive is connected ( NetDisk).

Requirements for installed applications:

1. The application must be in a separate folder and installed automatically.
2. The application folder must be written in the Latin alphabet.
3. Inside the application folder there should be a file install.bat, which the
   installs the application. It is also desirable that this file supports
   key -u(uninstall application).

teamviewer- free program, which allows you to remotely control your computer via the Internet. This is one of the most popular utilities for such purposes. Literally in a matter of seconds, the program will provide you with a visual connection with your computer from anywhere in the world. You can download the program for free in Russian via a direct link from our website.

TeamSpeak is a program for devices running Windows designed to organize multi-user voice conferences over a local or global network using VoIP technology. TeamSpeak is aimed primarily at gamers who communicate with each other during online games, but can also be used by employees of various organizations for conferences and meetings.

Hamachi is one of the most famous virtual private VPN tools. Using this program, you can easily establish an encrypted connection over the Internet between remote computers, simulating a LAN connection. By starting the Hamachi service, users will be able to share equipment - printers, webcams, and more. You can download the program for free on our website and install it on your computer with Windows 7, 8 or XP.

Home media server (UPnP, DLNA, HTTP) is a modern free Windows program for the convenience of viewing various media files on your computer on a TV, tablet, player, or other devices with network connection or WiFi. Based on the multifaceted experience of the development of the Internet, the program is able to function independently of the operating system used in the device.

SHAREit is a popular cross-platform program from Lenovo designed for easy data exchange between different devices connected to one wireless network. Thanks to this program, you can easily transfer files between Windows computers.

Wireshark is a free functional sniffer program for Windows designed to analyze network traffic of computer networks various types, including PPP, Ethernet, FDDI, Token-Ring and many more. The program is a fairly easy-to-use utility with low system requirements, which has wide functionality and is easy to use.